January the 28th is Data Protection Day - but why do we have a Data Protection day at all?
People´s personal data are being processed every second – at work, in their relations with public authorities, in the health field, when they buy goods or services, travel or surf the Internet.
Individuals are generally unfamiliar with the risks related to the protection of their personal data and of their rights in this respect. They are seldom aware of what they can do if they consider that their rights have been breached, or of the role of national data protection agencies.
Data Protection Day was launched by the Council of Europe in 2006 and is now celebrated globally every year on the 28th of January.
On this date, governments, parliaments, national data protection bodies and responsible organisations carry out activities to raise awareness about the rights to personal data protection and privacy. These may include campaigns targeting the general public, educational projects for teachers and students, open doors at data protection agencies and conferences.
Business also needs to shoulder some responsibility for both treating personal data with the respect it deserves (and that regulations demand) but also to help promote and educate the positive power of good data governance more widely. In particular organisations have a responsibility to ensure that their wider supply chain's are being equally respectful of the rights of individuals to strong data protection.
However while many businesses have created the fundamentals needed by GDPR they still have some way to go before they create the own privacy centric culture expected by the legislators and required to guarantee long term compliance. This culture is best described by an ethos known as "privacy-by-design-and-default". This concept is embedded within GDPR and is a requirement of the law. It requires organisations to consider the impact on individuals privacy at all stages of system and process design and to work on the basis that least impact is the default position.
While developing the culture must be an ongoing objective for organisations, the immediate and short term requirements of GDPR such as third party-management, policies, staff training, DPIA's, access requests and other data subject rights require robust on-going management and control to avoid non-compliance. Our experience is that most organisations simply don't have the knowledge, resources and drive to impliment these in a robust way.
Data Protection Day is a great opportunity for all of to remind our organisation's about the importance of privacy and to encourage our stakeholders to provide the resources required by the law.