“The crucial, crucial change [GDPR] brought was around accountability. Accountability encapsulates everything the GDPR is about,” says UK Information Commissioner Elizabeth Denham.
Denham said companies must understand the risks that they create for others with their data processing, and mitigate those risks. GDPR also formalizes the move away from box ticking to seeing data protection as something that is part of the cultural and business fabric of an organization and it reflects that people increasingly demand to be shown how their data is being used, and how it is being looked after.
However, she said this change is not yet evident in practice. “I don’t see it in the breaches reported to the ICO. I don’t see it in the cases we investigate, or in the audits we carry out,” she said. According to Denham, the next phase of GDPR requires a refocus on comprehensive data protection – embedding sound data governance in all business processes.