The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. The GDPR will have a significant effect on the way organisations process personal data. Its introduction is likely to see many businesses – particularly small and medium-sized enterprises – challenged to allocate sufficient time, budget and resources to satisfy the considerable compliance-focused effort required. But opportunity undoubtedly exists for businesses to alter their strategic view of the importance of data and take steps to manage their information effectively, putting privacy at the forefront of their information management activities.
Increased knowledge, reduced risk
The GDPR contains a number of requirements that will force businesses to acquire a greater appreciation of what they do with the personal data they hold. For example, it requires that organisations record what personal data they have, where it comes from, who it’s shared with and what they do with it. It further requires them to conduct information audits to map data flows and maintain records of the legal bases of processing.
The days of ineffective or inoperative retention policies and the ‘save everything’ approach to data collection and storage are ending, to be replaced by greater corporate accountability and transparency. More than ever before, organisations will acquire insight into what they do with personal data which will, in turn, inform their future data strategy, helping them implement policy to prevent unfair, unlawful or opaque practices. Though introducing systems and processes to enable this level of organisational self-awareness may seem overwhelming at the outset, the benefits of this process in helping businesses to identify, report and manage risk are clear.
Increased consumer confidence
Consumer confidence in businesses’ ability to safeguard personal data has fallen, following a series of high-profile data breaches in the last few years. The Cyber Security Breaches Survey 2017, an annual report published by the UK’s Department of Culture, Media and Sport, states that almost 70% of large UK firms have suffered a cyberattack. The survey also found that businesses holding electronic personal data were much more likely to suffer cyber breaches than those that do not (51% compared to 37%).
Against this background of mistrust, the GDPR introduces a series of enhanced data security rules intended to force businesses to implement rigorous data security controls, while also giving enhanced control of personal data back to the individual. If businesses adopt data-centric, stringent approaches to data security, they are likely to benefit from reduced organisational risk and increased levels of trust – and revenue – among current and potential customers.
The GDPR requires that organisations must introduce and maintain “appropriate technical and organisational measures” to protect personal data. It does not, however, define exactly what steps they must take to achieve this. In the absence of detailed guidance, the GDPR will be a catalyst for innovation, forcing organisations to inject privacy by design into existing and new processes and technologies.
There are real opportunities to gain commercial advantage by transforming the way personal data is managed. By assembling cross-functional teams including data protection officers, legal and technical data experts, many organisations will take the opportunity to define their data strategy and policies and find creative, evolving ways to implement data security measures which help them comply with GDPR amid the complex, ever-changing digital economy.
A look ahead
The GDPR will force many organisations to implement new policies and procedures to protect data by May 2018 in order to be compliant. However, this cannot be a one-time event as more and more new types of data will continue to be generated year after year. Devices that store and transmit data are growing each day, with new products constantly being released to market. The privacy implications are huge, as many do not realise that data, such as location data, is collected and stored. Companies are going to have to consistently monitor and communicate their privacy warnings so consumers understand what data is collected, where it resides and how it is going to be used. To do that, companies will need to continuously review their data protection procedures, how they use automatically collected data and address how to safeguard personal data. Becoming GDPR-compliant will be a sprint, but continuing to comply will be a marathon.
Deborah Blaxell is a senior consultant and Martin Bonney is a senior director in the consulting services team at Epiq.