Purposeful and comprehensive data privacy

Can you feel it? We’re nearly one year on from the introduction of the GDPR and I sense a creeping nervousness in the economy about the quality and reach of GDPR readiness programmes and decisions taken to shelve them once the magical date of 25th May 2018 had been reached. On the conference circuit, in client meetings and through the cadence of news reporting, I see a building concern that perhaps efforts were not good enough.

I don’t believe that we need flagship fines to tell us that there is still a major gap in data privacy quality levels in the economy. The evidence is all around us. However, fines are coming and perhaps they’ll help to disabuse some organisations of the notion that data privacy doesn’t matter, but wouldn’t it be much better if there was wide acceptance in the controlling minds of all holders and users of personal data and the minds of the facilitators and producers of data processing techniques and technologies that data privacy needs to be delivered as a matter of business purpose?

Business purpose covers the reason for a business’ existence, which leads to the generation of value and positive contributions to society. It’s a subtle point, but significant: generation of profit by itself is not purpose. Long term thinking and broad mindsets are needed to ensure business health, aligned to purpose.

Thinking about business purpose in this way has moved from being a matter of theoretical economic importance understood by economists and academics, to a core requirement of good corporate governance that business leaders have to address.

A clear example of this new reality is the purpose-focus within the new FRC Corporate Governance Code, which came into effect for listed businesses at the start of 2019. The Code places a positive obligation on Boards to consider and define purpose and to reflect purpose in risk management.

Data Privacy cannot be unraveled from this idea of purpose, if the use of personal data is central to business success. Purpose requires a ‘comprehensive’ approach to data privacy.

The UK data privacy regulator, the Information Commissioner, agrees with this idea. She took the opportunity to spell this out as her main priority for data privacy at her flagship annual conference in April. She said:

“[the] next phase of GDPR requires a refocus on comprehensive data protection – embedding sound data governance in all of your business processes.”

The significance of her position can’t be overstated. The reasons why the regulator is making comprehensive data privacy her priority are very stark: after nearly one year of operating experience investigating compliance with the GDPR and enforcing the law, the evidence has shown her that organisations are not delivering the right results. This worrying situation builds up the case that GDPR readiness programmes have had the wrong objectives, or they have been badly planned or delivered, or they have been closed down prematurely. The Commissioner is expecting organisations to be able to prove as a matter of fact that they have delivered meaningful data privacy outcomes, rather than having just ticked some of the boxes of legislative compliance.

As part of a comprehensive approach, businesses should not overlook the need to change how their technology and data systems are designed, built and operated, but on these specific requirements PwC’s experience is that tech and data-level change has not been properly addressed in many organisations. This means that many organisations will be unable to meet the challenges of accountability that the regulator has spelled out.

Business leaders need to take responsibility. That involves understanding the areas of business operations where data privacy needs to be delivered and understanding how to prioritise actions. And they have to focus on tech and data-level change if purpose, data privacy and compliance with the law mean anything to them.

Here is the full text of the regulator’s speech. View the FRC Corporate Governance Code.