GDPR – a Compliance Exercise or a Golden Opportunity?
The challenges of compliance presented by the sheer scope of the GDPR are undeniably immense, and the degree of change seen in certain aspects of the regulation, such as the right to be forgotten, means that many organisations are delving into unknown territory to implement these concepts. However, for the organisations that can efficiently overcome these hurdles they will be in a position to build a solid foundational data governance framework through which they can take full advantage of the opportunities presented by data analytics in the digital era.
The European Union’s General Data Protection Regulation (GDPR) is fast approaching, coming into effect on 25 May 2018, and the changes which it ushers in are substantial. There is no doubt that the GDPR is going to significantly reshape the data protection landscape across Europe, and for the many organisations worldwide that collect and process the data of EU citizens. With the deadline looming it is time for organisations to ask themselves whether they will be approaching this challenge solely as a box ticking exercise, or as an opportunity to distinguish themselves from their competitors and capitalise on potential new revenue streams.
The GDPR is forcing companies to do their data housekeeping, which, arguably, is something everyone should have been doing right from the beginning. While effective data governance has not been very high up on most board’s agendas until recently, having a better understanding of your data substantially increases the value of it. You cannot utilise or monetise your data if you do not know where it is, and hoarding data from 20 years ago only clouds the water, reducing your opportunities. Many privacy professionals may end up being thankful for the GDPR for driving data governance as a business priority. Organisations are thinking less about technology, the end-point, and are becoming more data centric.
Privacy professionals can start this journey by asking themselves pragmatic questions, how much of our data is duplicate? Has it been accessed in the last 12 months? Once organisations have uncovered what data is actually being accessed, they can begin the process of removing, reducing and restructuring it. Convincing everyone that clearing out data is the best place to start can be difficult but it can be done by weighing up the cost of storage and non-compliance versus the cost of deletion and potential recovery. Though one approach may cost more in the short term, it’s very clear which pays off in the long run. The risk of non-compliance includes not only the colossal fines available but also the risk of damaging your brand.
How freely the ICO will be handing out fines is unknown, however organisations can mitigate their chances by showing good intentions and being pragmatic in their decision making, companies will not get away with not moving on sensible decisions. It is important to document everything, ensuring there is evidence of intent to meet the regulation in question.
It looks as though most organisations are unlikely to be one hundred per cent ready on day one, but prioritising the most significant risks first will at least mean they are in a defensible position when the day arrives.