Public Services > Central Government

Much More Than a Day: 2018 is Data Protection Year

Published 28 January 2018

Omer Tene, Chief Knowledge Officer at the International Association of Privacy Professionals, argues that with the clock ticking on GDPR, businesses must get start getting smart about data protection


Back in 2007, few people knew or understood the meaning of “Data Protection Day”, the January 28 international holiday dedicated to promoting and raising awareness of privacy and data protection best practices.

Of course, policymakers, business leaders and consumers were sometimes apprehensive about the privacy risks inherent in a dizzying array of technological and data innovations. But how to address these challenges eluded most. Fast forward only a decade, and we can already declare 2018 as “Data Protection Year”, with every business and government agency in Europe – and many outside it – rushing to learn, budget for and implement the General Data Protection Regulation (GDPR).

Disturbingly, as a  survey  from the Department for Digital, Culture, Media and Sport found in the UK last week, not everyone is ready. According to the survey, fewer than half of all businesses and charities are aware of the new data protection laws, just four months before they come into force. 

The UK survey found that awareness to the changes about to be brought by the GDPR is highest in the finance and insurance sectors.  Businesses in the construction industry have the lowest awareness, with only one in four aware of the incoming regulation. Awareness is higher among businesses that report that their senior managers consider cyber security is a fairly high or very high priority, with two in five aware of the GDPR. The survey found that more than a quarter of businesses and charities who had heard of the regulation made changes to their operations ahead of the new laws coming into force.

Effective May 25, 2018, the GDPR marks a tectonic shift in Europe’s data protection framework, with profound implications for businesses outside of Europe dealing with data about Europeans or operating European establishments and data centres.

Unlike its predecessor, the Data Protection Directive, the GDPR has extensive global reach. This has caught the attention not only of corporate managements all over the world but also of policymakers in countries like Japan, South Korea, Israel and India, who are seeking to align their domestic regulations with the new European standard. GDPR also affords individuals strong rights, including a right to access data held by an organisation, to rectify it, to request to delete it and to transfer it to a competing business. To fulfil these rights, companies will often need to engage not only their legal and compliance teams but also product managers, engineers and IT experts to reconfigure products and services.

Most importantly, GDPR hands enforcement agencies a big stick, empowering regulators to levy fines in amounts of up to 20m euros or four percent of a company’s annual global turnover, staggering amounts when considering the income statements of large tech companies, retailers, airlines and banks.

Traditionally weak in formal powers and budget starved, data protection agencies will hence catapult into the first tier of market regulators, alongside competition agencies, securities regulators and even tax authorities. Not to be ignored, new private causes of action and an ability to bring representative suits will empower European consumers to enforce the law individually or in groups. Already, Max Schrems, whose campaign against Facebook upended a long standing international agreement between the U.S. and the EU that was adhered to by more than 4,000 businesses, announced the launch of an NGO dedicated to pursuing privacy wrongs under the title NOYB, short for “none of your business.”

To address these risks and challenges, businesses must be smart about data protection. This includes educating senior management and training staff to recognise data protection risks and to understand non-intuitive concepts such as personal data – which includes not only sensitive data about financials or health but also apparently mundane but identifiable information, including an IP address, a phone number or a cookie; pseudonymisation – which means the process of removing direct identifiers from a dataset so as to make it less readily identifiable; or controller and processor – which are different roles organisations can take in various setups and constellations in the data processing chain.

Eventually, businesses will turn to a new professional class – privacy and data protection officers (DPOs), who are already mandated under GDPR in certain circumstances – to manage, oversee and minimise data protection risks. Over the past decade, the field of privacy and data protection has become a profession with a body of knowledge at the intersection of law and technology, operations and ethics, strategic management and data governance. In 2018, companies will rush to hire thousands of privacy and data protection professionals to ensure that the tremendous benefits of new technological breakthroughs will not come at an untenable social cost.        

Omer Tene is Chief Knowledge Officer at the International Association of Privacy Professionals

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.