Businesses can obtain a 'competitive advantage' if they 'get data protection right', says watchdog

Steve Wood, deputy commissioner for policy at the ICO, said it was a "widely held misconception" that reforms to EU data protection laws were "an onerous imposition of unnecessary and costly red tape". The General Data Protection Regulation (GDPR) will apply from 25 May 2018.

Wood said companies should not consider GDPR compliance as "an unnecessary burden on organisations".

"Any regulation has some sort of impact on an organisation’s resources," Wood said in a new ICO blog. "That’s unavoidable and GDPR is no different to any other new legislation in that respect. But thinking about burden indicates the wrong mindset to preparing for GDPR compliance."

"Whatever the size of your organisation, GDPR is essentially about trust.  Building trusted relationships with the public will enable you to sustainably build your use of data and gain more value. Through changing their data handling culture, organisations can derive new value from customer relationships. Failing to get data protection right is likely to damage your reputation, your customer relationships and, ultimately, your finances. That goes way beyond increased fines – think brand damage and a subsequent loss of custom," he said.

There is "a major opportunity and competitive advantage for those who can demonstrate that they get data protection right", Wood said.

Wood said that although the GDPR "demands more of organisations in terms of accountability for their use of personal data and enhances the existing rights of individuals", it is only "building on foundations" of the existing Data Protection Act.

The GDPR represents more of "a step change" in data protection regulation than "a leap into the unknown", he said.

"Many of the fundamentals remain the same and have been known about for a long time," Wood said. "Fairness, transparency, accuracy, security, minimisation and respect for the rights of the individual whose data you want to process – these are all things you should already be doing with data and GDPR seeks only to build on those principles."