Opportunity calling: The General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a reform of the current data protection rules, it is currently being written into UK law and will apply to all organisations who hold personal data from 25 May 2018.
Penalties for non-compliance will be “effective, proportionate and dissuasive” – the Information Commissioner’s Office (ICO) can administer fines of up to 4% of global annual turnover or 20 million Euros – whichever is higher. It’s unlikely that we’ll ever see a maximum (administrative) fine, though there are other significant penalties (such as the enforcement of corrective measures), and liabilities (for example the right for any person who has suffered as a result of an infringement to receive compensation) that need to be understood.
Achieving GDPR compliance will take time and money, but if managed correctly there are steps that present opportunities and can be linked to other business objectives that provide a return on investment.
A Strategic Initiative
The GDPR needs to be dealt with at board level. The accountability principle and the fact that it’ll have an impact on all areas of the business should facilitate this. Once you accept that the GDPR is a “boardroom issue” and deem it to be a strategic initiative it becomes an opportunity. An opportunity to ensure that your business is fit for the digital age. As part of the process you’ll need to future-proof your products and services in order to gain competitive advantage – particularly if you are one of the first in your sector to achieve compliance.
GDPR compliant businesses will want to work with other GDPR compliant businesses, particularly now that under GDPR, Data Processors share liability with Data Controllers. Businesses will need to know that their suppliers, and in some cases clients, are GDPR compliant. In fact, there’s a good chance they’ll want to know that the whole supply chain is compliant. And perhaps equally as important is the fact that consumers are about to become much more aware of their rights as “data subjects” – yes, the Information Commissioners Office (ICO) is planning to run a campaign to educate consumers on their new rights.
Personal data is arguably “your” most important asset, so look after it. Organisations are now more like custodians of much of the data they hold, not the owners – as a result they must use GDPR compliance to drive business. If there are “fly-by-nights” in your sector who refuse to adhere to GDPR legislation and change their ways then there’s a chance they won’t survive long post GDPR.
Don’t get bogged down in the details
Resist the urge to dive into the text on day one in an attempt to understand and interpret every article to then try and use this information to drive the wider project. Instead, gain a good general understanding, perhaps paying particular attention to the 6 principles (Article 5) and the ICO’s “12 steps to take now”, and use that to shape a data governance programme. Another important aspect to consider is appointing a data governance board if you haven’t done so already. A good data governance programme will naturally address large parts of the GDPR, see the articles within the GDPR as more of a checklist for checking on the success/GDPR alignment of your data governance programme.
The Human Element
Unfortunately, the term “data subject” makes it easy to forget that the GDPR puts people, your customers for example, back in control of their personal data. Organisations must now start to think strategically about the GDPR by asking questions such as:
- How can we improve the customer experience whilst ensuring transparency and building trust?
- How do we ensure our customers see the use of their data as a benefit?
- How do we avoid incidents that could lead to reputational damage resulting in our customers going elsewhere?
- How do we ensure our employees understand the consequences of getting this wrong?
- How do we win new customers through transparency and trust?
The answers to questions like those above can be used to form part of your GDPR strategy, that way the human/customer element won’t get lost during your journey to compliance.
The regulation is far reaching and the opportunities it presents are therefore wide and varied. The number, and type of potential opportunities is dependent on many things including current organisational maturity and the maturity of any existing data governance. Whilst organisations that lack maturity will have more work to do, there’ll be a greater scope to identify opportunities and reap the benefits along the way.
Get to know your data
As you get to know your data better, particularly how it flows through your organisation, you’ll start to realise how revealing the process can be. To some the data mapping exercise is a revelation and they use it to improve business processes and review their customer journey. This can also happen quite naturally as you look to reduce risk by minimising the number of data touch points and software applications in use within the organisation. This consolidation exercise should lead to leaner processes and in some cases, significant cost savings – think licensing, storage costs and operational efficiency.
Clean up your data
Many organisations have only ever accumulated data over time and have done very little in the way of data cleansing – it’s not unusual to see businesses delete the majority of the personal data they hold as part of an initial cleansing exercise. This might sound severe, but if the data lacks legitimacy under GDPR (think back to the original purpose for which the data was collected and how long it’s been since you’ve been in contact with the data subject) then getting rid will instantly reduce risk. Ultimately, it’s a high value, low cost, quick win. The less data that you hold, the less you have to worry about. It’s important to note here that you should seek expert advice before pressing that delete key as it’s sometimes possible to re-engineer and/or re-permission the data to restore/retain legitimacy. Please also be sure to check your data retention policy, you may have to hold on to the data for other reasons/regulations – if you don’t have a data retention policy then that’s one of reasons why you ought to appoint a data governance board.
Manage your data
The GDPR will force many organisations to make big improvements in the way they collect, store, use and delete data, some will make their first foray into PIMS (Personal Information Management Systems) or even MDM (Master Data Management) as a result. Integrating PIMS or MDM isn’t essential but, for those who are struggling to know where to start, such a system could provide a solid foundation for implementation and help to pull everything together.
Many of the benefits that emanate from a GDPR alignment programme will come from improved records management / data minimisation / better data quality, they include:
- Reduced risk exposure
- More efficient marketing campaigns and customer service
- Improved operational efficiency
- Better and more profitable business decisions
- A better understanding of customer habits
Govern your data
And here we are, back at data governance. It can no longer be the case of we’ve made our “best efforts”. There is now a need to use it to form a holistic approach to data security, privacy, and related compliance obligations such as the GDPR. Do it well, embrace the GDPR and your efforts will be rewarded.
START YOUR JOURNEY TO GDPR COMPLIANCE
Join us for our rountable events to learn more about our approach to assessing GDPR compliance and how we can help your organisation adopt Microsoft Cloud Security Technologies successfully, in time for GDPR enforcement next May.
About our author
GDPR Specialist | Citric Data Protection
Matt Anslow of Citric Data Protection has a background in corporate and consulting IT disciplines and became experienced in data governance and ISMS whilst performing the role of IT Manager/Director in a number of sectors. Matt now specialises in data protection and privacy to which he takes a holistic approach, he has become known for helping businesses to see the GDPR as an opportunity and to exploit the potential benefits to emanate from it. Matt can be contacted through Content and Code or directly on 0116 350 0462.
I have heard and spoken to a number of companies and organisations, and it seems that in many cases, they are happy to see how many Subject Access Requests they receive after the 25th May 2018 to decide how they want to deal with Subject Access Requests from data...read more
In my last article, “Opportunity Calling - The General Data Protection Regulation (GDPR),” I mentioned the notion of not being driven by the text (i.e. the articles and recitals that make up the General Data Protection Regulation) during the initial stages of an...read more
If, like me, you are old enough to remember the 1999 Millennium bug panic and the rush to update legacy systems before the end of the rational world as we knew it (Planes falling out of the sky, banks collapsing, etc.), then you will be familiar with the anxiety and...read more