Share with your friends

Reinventing data protection: Are you digitally ready?

Reinventing data protection: Are you digitally ready?

Understanding and preparing for new data regulations and how organisations can keep up with regulations in a digital world?



Also on


Navigating local services can be challenging, but not always as challenging as the experience of a man mentioned in a Centre of Excellence for Information Sharing report last year. He greeted his MP who had knocked on his door with the greeting ‘You’re number 32’ – he’d been keeping a list of the people who had knocked on his door to ask for the same information and offer support – rhetorically you might ask ‘who wants to tell their story 32 times’ - all because the agencies had not shared the relevant information with each other.

The truth is residents want us to join up our services to help them; that is until they don’t.  They can equally worry that we will use their data inappropriately or without their knowledge.  Both are difficult challenges brought to the fore by an increasingly digital world that is driven by data. 

If we’re in the middle of the 4th industrial (digital) revolution and being fundamentally changed by digital technology and services; we sure haven’t cracked the code yet on how to proportionally balance enhancing our services by using data while still protecting privacy. 

That’s partially because we’re in the middle of a values driven debate which is taking time to play out in society while the pace of change outpaces our ability to safely plan for digital impact.  As organisations, there is help and guidance out there, but to some extent there is no map for this and we are all learning as we go.

Regulation hasn’t kept pace with our digital and physical selves, but it’s catching up.

We’re living in a digital world that is starkly different to that of even a decade ago. As a result, the UK’s laws and regulations need and are being updated.

Traditionally, governments have been set up to serve their populations, supported by a whole host of paper and relationship based data about those people – ranging from census data to economic trends. But now people are splitting into two selves: a physical self and a digital self-described in terms of data:

‘‘. . . it’s not that the Internet is everywhere (we knew that), it’s that the Internet increasingly defines everything, including ourselves.’ Paul Marsden Consumer Psychologist SYZYGY Group

And this division of self creates a whole new set of questions for governments:

  • What is government’s responsibility to the digital self – to a person and their data? 
  • Governments wish to protect our digital lives through legislation and improving resilience. 
  • But should they do more? Should they be helping us meet, manage, and even ‘optimise’ our digital well-being. What would that relationship look like?
  • How should or can – permission be given and managed to use that data? Should corporations manage that?  Should governments manage that as a trusted broker? Or should you manage that yourself?
  • What are citizens’ rights concerning that data? Are you aware of them?  Do you want to be aware of them?
  • How should we regulate and monitor the responsibilities of organisations that share data
    in the private and public sectors?

New laws are on their way

These questions are at last starting to be answered, and organisations – public or private – should be prepared for change. The first and the biggest piece of regulation is, of course, the EU’s General Data Protection Regulation (GDPR), which comes into effect in May 2018. It is the biggest overhaul of data protection rules in 20 years and is long overdue. Alongside that, the Digital Economy Bill and guidance from the Office of the UK National Data Guardian are shaping a new regulatory landscape.

There are just a few broad themes to be aware of:

1) It’s now the responsibility of every organization sharing data to understand what data you are sharing, what purpose you are sharing it for, who you are sharing it with, and how it is being shared.

A) This means having a register of your data by type and system is critical

B) Data flows that articulate how data moves between organisations and for what purpose are also key

C) For certain types of data and uses, you will need to obtain and manage explicit plain language consent as well as any opt outs

2) Engagement with people about using their own data will be an increasing core competency of many organisations. 

You may need to:

A) increase your public engagement skills and non-technical writing to adequately and clearly explain what people are consenting to share and to create the Data Privacy Impact Assessments in plain language the GDPR requires

B) use apps and technology to help customers and citizens self-manage their privacy and consent

C) build a stronger benefits and outcome modelling capability so you can convince stakeholders to share from a position of benefit to them

D) build a stronger communications and social media capability

But it’s not just more complexity that organisations will face. The GDPR also increases the risk and penalty for any organisation – public or private – that doesn’t handle information in the right way. The maximum fine will be 4% of global turnover, which is a significant step change in terms of the importance of lawful and proportional data use and the consequences of non-compliance. The UK information Commissioners Office (ICO) has a useful set of resources for getting to know GDPR (

See your risk as an opportunity

The key for organisations is to get ahead of all this change or at least try and keep pace with it. On the one hand, they must prepare to comply with the new legislative demands – for example, many firms in the UK are
nowhere near ready for the GDPR’s May 2018 deadline. With only seven months to go there is still time to begin preparing for GDPR even if full compliance may take longer. Failing to do this could result in far greater compliance costs further down the line.

GDPR and guidance from our ICO and Office of the National Data Guardian put renewed emphasis on the importance communicating with those whose data we use clearly and without surprises. Where their consent is required we have to ask for that clearly and granularly in terms of how data will be specifically used and what value it generates. If their explicit consent is required, we must manage an opt-out process which creates new process and technology complexity for organisations not used to that. Organisations must also develop capabilities to measure and communicate how sharing data will help their customers and constituents while working to allay understandable public fears about how their data could be misused or mishandled.

Many customers we talk with want to manage the transition to GDPR as calmly and quietly as possible. That’s a fine goal. There’s another opportunity embedded within GDPR though to be loud, informative, and positive
by creating new or at least reframed conversations with customers about their data and how it is used. Some organisations can and should use GDPR to take their digital customer relationships to entirely new levels.

And what about the future after GDPR? I think it’s likely that in the future, it will be as normal for us to login online to check our ‘digital selves’ and monitor our personal information profile, and see how others are using our data, as it is for us to check our bank account online. 

If you accept that may be the future too, that entirely changes the technology investments and customer engagement capabilities you will need to meet citizens online.  For today and the future after GDPR, organisations must be prepared – and able – to provide the requisite level of detail about their data use and its benefits to those they serve. There is a lot of talk about the fiscal and reputational cost of non-compliance
that is absolutely right but much less talk about the opportunities generated by GDPR and a rapidly emerging digital future. The lines between our digital and physical selves are blurring creating unprecedented opportunities to share more data. Our regulatory environment is also catching up to help us navigate the significant risks that also come with that change. 

As customers and citizens, we all stand to benefit greatly from our data being used to provide more personalised products and services. Yet there could also easily be a backlash if organisations get it wrong. It will pay all organisations to ensure that this doesn’t happen. Though there is significant work to be done to become compliant with our new rules and regulations, I’m as excited about the opportunities things like GDPR create to re-engage our organisations, citizens, and customers in a digital context. It’s an exciting time.


© 2021 KPMG LLP a UK limited liability partnership and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organisation please visit

Connect with us


Want to do business with KPMG?


loading image Request for proposal

Save, Curate and Share

Save what resonates, curate a library of information, and share content with your network of contacts.

Sign up today