19 Jul 2022
by Andy Stevenson

Computer Task Group: Data privacy - why GDPR compliance is essential in the digital age

Guest blog by Andy Stevenson, Data Privacy Consultant at Computer Task Group

Fundamental Rights

In January 2022, John Edwards, the UK Information Commissioner, said, “Privacy and Data Protection are not values and rules imposed upon an unwilling populace by some external force. They are not burdens to be shucked off. They are laws that represent deeply ingrained features of the UK culture and legal system.”

Privacy is a fundamental right and privilege, but often this can be overlooked by organisations who don’t prioritise it within their digital output. Adhering to the guidelines of the General Data Protection Regulation (GDPR) is compulsory for regulatory data compliance, but also essential for ensuring that the public’s privacy is at the forefront of working practises in every facet of the business world - particularly when it comes to innovative digital technology.

Strong alignment with the Data Protection Principles will demonstrate to customers that your organisation doesn’t view privacy as an afterthought but at the top of the agenda. The nuances of data privacy can cause corporate heads to scratch, and there is still the tendency to sweep privacy risks under the carpet rather than address them head-on, for fear of further spending or simply because there is not enough understanding or confidence.

Coming Unstuck

Perhaps that’s where some organisations have come unstuck; they lack the level of expertise needed to truly assess essential compliance gaps in Data Protection with their digital output. South Wales Police, for instance, lost a landmark facial recognition case in 2020 largely on the lack of a DPIA (Data Protection Impact Assessment) picking up on whether the software exhibited any race or gender bias. The ICO also further ruled that police forces should set out their Live Facial Recognition retention schedules in any subsequent DPIAs.

DPIAs are generally designed to systematically assess, minimise, eradicate, or accept any high personal data risks that a new project, system, application, or process might entail—before it has been fully built or developed. This is known as “Data Protection by Design and Default,” and should be ingrained within a digital organisation’s DNA.

Yet it seldom is. ICO fines and reprimands continue to be issued, to the tune of £42 million in Data Breach fines in 2020-2021 alone.

Cultural Awareness

To limit the vast amount of human errors that can lead to breaches of personal data, a cultural awareness of data protection and the processes required to ensure staff are aware of their GDPR obligations is essential, as well as privacy experts liaising with stakeholders when new technologies are being developed.

GDPR should be a tool to drive positive change and insert the kind of privacy compliance into your organisation that will show your customers that you value their privacy as paramount, thus building ironclad trust. GDPR needn’t be a road-blocker to digital business output—it should emphasise how to safely apply business practises to personal data, rather than a “don’t do” approach.

Ask yourself… 

Understanding and working with the Data Protection Principles is the key. Understand the hard questions and think about answering them. How long should data you’re holding be stored in a cloud-based server? How much information do you need to share, rather than can you share?  Do you need to tell your customers that you’re using their information for further research? If so, how will you go about it?

By prioritising GDPR, organisations not only dramatically reduce their risks of non-compliance, they build better relationships with partners and customers, improving the reputation of their organisation and showing valued customers that their digital personal data is in safe hands.

The techUK podcast: Innovation in place-based care

In this episode we explore the concept of ‘place’ in care, the principles behind it, the impact of Covid-19 on care delivery, prospects for innovation following the introduction of Integrated Care Systems, examples of industry best practice, and where listeners can go to learn more about ‘place’ and innovation in care.

We were joined by Helena Zaum (Social Care Lead at Microsoft and Chair of techUK’s Social Care Working Group), Scott Cain (Associate at the Connected Places Catapult) and Hannah Groombridge (Healthcare Engagement Manager at Person Centred Software).

This discussion forms part of techUK’s Digital Place Week 2022 activity and features on our recently-launched Social Care Innovation Hub.

ICS Report.jpg

Read techUK's latest flagship report, released on Thursday's 'Health and Wellbeing' day:

Right from the start: What should Integrated Care Systems prioritise to make digital, data and technology work for them and their populations?



Andy Stevenson

Andy Stevenson

Data Privacy Consultant, Computer Task Group