GDPR: Don’t miss the commercial opportunity
Since the Data Protection Act 1998 became enforceable, data protection has been serious business. The Act celebrates its 20th birthday with early retirement, replaced as it will be by the General Data Protection Regulation (GDPR).
The GDPR is an EU-wide directive which seeks to unify data protection protocols and make them fit for the 21st Century. Brexit, in whatever guise it takes, will not affect its implementation into UK law. GDPR is more extensive in scope and application than the current Data Protection Act (DPA). The regulation extends the data rights of individuals. It also requires organisations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organisational measures.
The regulation provides much for corporates to think about. In this piece, we’ll look at some of the implications of the regulation, both in terms of opportunity and risk.
Brace for Budget Burden
Increasing liabilities through GDPR will demand more rigorous controls. As such, the financial burden of handling data is set to rise. To what extent depends on the industry you are in, and the type of data you process.
Sensitive data, such as data relating to personal health, is to be regulated much more stringently under the GDPR than other types of data. There will be a requirement to demonstrate compliance with extra obligations, for example performing data protection impact assessments.
The size of your company also matters. Largely, the GDPR requirements for SMEs are no less robust than they are for the big multinationals. However, it is to be expected that regulators will direct enforcement activity towards corporates that hold data for many individuals, and that are more prominent within the marketplace. Needless to say, implementing revised privacy protocols within large corporates is a more onerous task than for smaller firms, with there being more individuals, databases, and processes effected by such wholesale changes.
Another factor to consider is whether existing IT systems can cope with the demands of the GDPR. The onus on consent will require additional forms and elements for acquiring and processing data. They will also need to explicitly display where consent can be withdrawn.
Ensuring Synergy Between Clients and Suppliers
The burden of the GDPR is more heavily weighted to data controllers. That is not to say though, that processors are off the hook. Fortunately, the GDPR gives clear guidance as to the responsibilities of each, and imposes eye-watering penalties on those that fail to meet these responsibilities.
Clients and suppliers then have a renewed incentive for successfully wrestling the issues presented by the GDPR towards a mutually agreeable outcome. How this can be achieved is via a two-fold approach.
- Firstly, it is critical that clients (data controllers) and suppliers (data processors) have taken the necessary steps to make sure their privacy policies are fully GDPR compliant.
- Secondly, lines of communication between each must be reviewed. With data passing between the two under the watchful eye of the GDPR, there is no room for error.
To what extent we could see the larger, more dominant parties exploiting smaller, weaker ones remains to be seen. The scope for such action appears limited when perusing the GDPR document, but once enacted and in full practice means of doing so may become apparent.
With the requirement for compliance backed up with severe penalties, it’s tempting to view the GDPR only as a burden. However, there are opportunities as well.
The GDPR will force companies to review and re-order their data. With data carrying such value in the modern corporate landscape, having a better understanding of your data substantially increases the value of it. A company cannot utilise or monetise their data if they do not know where it is or what it consists of. Likewise, stockpiling decades old data only blurs the picture, reducing opportunities. Many companies may end up being thankful for the GDPR for driving data governance as a business priority.
The marketplace is to change as GDPR requirements become legally binding. Companies can obtain a competitive edge over their rivals by using the GDPR as inspiration for innovation. One way, for example might be for corporates to consider developing new services or products which guarantee customers that their personal data is safely handled and stored. Initiatives such as personal data vaults, Cloud-based apps which allow individuals to store personal data and enable them to control access permission, are likely to become popular.
Perhaps most importantly, those companies that align most unequivocally with the GDPR stand the best chance of protecting their reputations. Indeed, there is an opportunity for companies to become regarded as ‘privacy champions’, a worthwhile label to have amongst evermore security conscious consumers.
What is clear from the reams of guidance and instruction, is that companies need a well-conceived and executed strategy to ensure an optimum outcome.
Equally, sleep-walking into issuing revised terms conditions to existing, legacy policies with a blind expectation that receiving parties will unconditionally accept these, is naïve to say the least.
Altogether, it can all seem overwhelming. It is important to remember though that the GDPR is uncharted territory for every organisation, and that planning an appropriate budget is the first step to ensure that you retain your competitive edge.