deepagopi2011 - Fotolia

GDPR is having positive impact on privacy profession, says IAPP

The EU’s new data protection rules are driving greater interest in the privacy profession, and provide an opportunity to develop new business plans, says privacy association

The European Union’s (EU’s) General Data Protection Regulation (GDPR) is having a positive effect on the privacy profession, according to the International Association of Privacy Professionals (IAPP).

“People are definitely paying attention to privacy as the GDPR compliance date approaches,” said Sam Pfeifle, content director at the IAPP.

Membership more than doubled in 2017 with 12,000 new members, and 1,000 privacy professionals achieving certification in January 2018 alone, he told Computer Weekly.

There has been a marked increase in the number of privacy professionals, said Pfeifle, as organisations seek to operationalise their GDPR plans and strategies.

At this point, he said, it is important privacy professionals and IT professionals engage with each other to guide each other to ensure the most effective technology is deployed to deliver the most critical privacy outcomes.

“With the deadline of 25 May so close, it is more important than ever that IT and privacy teams work together to get it right so that the organisation as a whole is able to do now what is required to ensure the best possible protection for personal data,” he added.

Pfeifle believes that the GDPR and equivalent data protection laws in the UK and elsewhere provide a good opportunity for privacy and IT teams to have more productive conversations, and to work together to empower each other.

“Privacy professionals know what needs to be done to ensure personal data is safe and that regulatory requirements are met, and IT teams are in the best position to know how best to achieve and support those goals using the right security architecture, technological systems and controls,” he said.

Like the UK Information Commissioner’s Office (ICO), Pfeifle believes that improved data protection and privacy practices make good business sense because they help build consumer trust and enable organisations to enter the trade for data in a way that is transparent and fair.

“Existing organisations like Facebook need to make sure that the value proposition works, and that the transaction is clear to users of the service,” he said.

Read more about the GDPR

By providing guidance on the legitimate collection and use of personal data, the value of data, where and why consent is required, Pfeifle said privacy professionals can enable organisations to use data with confidence.

“This in turn enables organisations to improve relationships with customers and develop new data-based business plans, ensuring that privacy requirements are met at the design phase, rather than identifying problems later down the line when they are more difficult and costly to remediate, or can even result in fines,” he said.

Pfeifle is also among those who believe that the large fines provided by the GDPR will be enough to encourage organisations to do the right thing, rather than take the risk of getting caught as many have done in the past because the penalties have been relatively low.

The ICO plans to provide details of its new regulatory action policy in April, but information commissioner Elizabeth Denham has already indicated that the ICO aims to create a regulatory environment where data subjects are protected and businesses are able to operate and innovate efficiently in a digital age.

Privacy and innovation must go hand in hand, she told a data protection event hosted in London by the Direct Marketing Association (DMA).

“Support, education and guidance is at the heart of our regulation, but it is backed up by tough action where obligations are not met or ignored,” she said.

Commenting on the higher sanctions provided by the GDPR and proposed UK data protection legislation, Denham said more serious, high-impact, deliberate, wilful or repeated breaches can expect the most robust response.

“We will also reserve our strongest sanctions for breaches involving novel, technological approaches that present a high degree of intrusion into people’s privacy,” she said.

Read more on Regulatory compliance and standard requirements