GDPR: do not bury your head in the sand
February 2017 | EXPERT BRIEFING | DATA PRIVACY
2016 was the year in which the General Data Protection Regulation (GDPR) became a serious topic. The year was tarnished by a number of high profile company data breaches which undermined public confidence in the way companies store and use data. The GDPR legislation, set to come into effect in May 2018, is long overdue and businesses are beginning to worry about how to best prepare. 2017 will be the year that businesses need to actively plan for this imminent deadline – no sector is exempt from the GDPR. It is no longer a question of ‘if’ the implementation will take place, but how. Businesses would be well advised to keep a very close eye on developments, as well as the messages coming from regulatory bodies, such as the ICO. The stakes are high; any business that fails to get its ducks in a row will face severe financial consequences.
What is the GDPR?
The GDPR is the highly-anticipated update to existing European data regulations. The EU Data Protection Directive (DPD), which was instituted in 1995 before the real dawn of the internet age, is woefully out of date. The DPD is unsuited to guiding businesses on how to best store and share their data in the modern era. The UK has its own law, the Data Protection Act, created in 1998, that controls how personal information is used by organisations, businesses or the government. However, the GDPR is likely to replace this and other European countries’ local data regulations, promoting a more coherent approach to data protection and harnessing the 28 sets of individual Member State laws currently in place.
Why is the GDPR necessary?
In recent years, businesses have taken advantage of the widening loopholes in data protection regulations. Facebook, for example, faces a hefty EU fine over its unlicensed sharing of customer information from WhatsApp. Furthermore, a number of very public security breaches, such as those involving mobile phone service provider Three and supermarket chain Tesco, have exposed the vulnerability of data collection systems, further undermining consumer confidence.
It has become clear that the issue of data ownership and data protection is a complicated one. The GDPR will be instrumental in helping companies understand what they can and cannot do when it comes to customer data.
What does the GDPR entail?
The GDPR consists of 200 pages of ambitious legislation designed to better protect customer data. Failure to comply with this new set of rules will result in fines of up to €20m, or 4 percent of global turnover, whichever is higher. Among several measures, the GDPR tackles terms such as consent, the right to be forgotten, data breach notifications and the issue of accountability. A further key aim of the GDPR is to boost transparency between company and clients. Businesses will need to provide clear notice of data usage and to obtain explicit consent from customers for data collection, storage and activation. This includes respecting a customer’s choice to ‘opt out’.
The harsh penalties for non-compliance provide a strong incentive for businesses to prepare for the GDPR, however they are by no means where the deterrents end. Data mismanagement now comes with a costly hit to brand and reputation. The hidden costs associated with brand damage, as a result of non-compliance, could continue to add up long into the future. Customer exodus, investor flight and difficulty acquiring new customers, are just some of the financially damaging scenarios that continue to plague companies for years after data breaches. For example, the 2014 breach of Sony could ultimately cost the company more than £1bn.
How to prepare for GDPR?
The GDPR is not set to be implemented until 25 May 2018; however, companies need to start taking the necessary measures now in order to be fully prepared for the roll-out. Yet, a recent Dell survey revealed that less than one in three companies are prepared for the regulation. Furthermore, less than half expect to be fully ready by 2018.
There are a number of things that businesses can proactively do to prepare for the implementation of GDPR.
Notably, in order to establish who has access to data held, how it is collected, stored and where it is going, companies should conduct an audit of their current data assets, and review IT policies and systems to really understand what the data estate and landscape looks like. This will help to determine if there are any gaps that need to be filled in order to become fully compliant, what permissions are in place and whether those permissions are correct. Companies should review contracts, processes and policies to validate the data and access to data that they possess. Any employees, clients or data that fails to comply with the new regulations needs to be updated and data that is no longer used or required should be deleted, otherwise it can become a liability to an organisation.
Additionally, companies that are planning on taking the implementation of GDPR seriously should consider employing a chief data officer (CDO) to oversee the process. At the end of 2016, Gartner estimated that 25 percent of large global organisations have already hired a CDO. By 2019, that is predicted to reach 90 percent. CDOs can help staff to broaden their understanding of data in the workplace, realise the benefits of using data and analytics, capture opportunities and mitigate risks. This will enable companies to better collect, manage and exploit data assets, and to apply analytics for better insights. Businesses should also create a data governance board, consisting of team members from departments ranging from tech, legal and marketing, to share ideas across the board on best practice on data, from accessing and storing data to transmitting it, building data strategies and essentially owning and being accountable for the organisation’s data.
While GDPR implementation is challenging, it is long overdue. Some businesses hoped that Brexit would excuse the UK from the GDPR, but this will not be the case. Rather than running scared, business leaders should see the GDPR as an opportunity to improve data systems, prevent data misuse, rebuild trust and demonstrate business proactivity in the coming months and years. It is a powerful means of displaying business transparency at a time that trust in businesses practices need to be rebuilt.
GDPR compliance can support clearer long term business development objectives as better data protection ultimately leads to more profits by driving consumer trust. Any UK business that chooses to bury its head in the sand and ignore the inevitable will be left behind by those that have already embraced these changes. Effective data protection will lead to more valuable, longer lasting customer relationships that are built on trust and openness.
Andrew Bridges is the data quality & governance manager at REaD Group. He can be contacted on +44 (0)20 7089 6400 or by email: firstname.lastname@example.org.
© Financier Worldwide