Opportunity Calling - The General Data Protection Regulation (GDPR)

The GDPR

The General Data Protection Regulation (GDPR) is a reform of the current data protection rules, it is currently being written into UK law and will apply to all organisations who hold personal data from 25 May 2018.

Penalties for non-compliance will be "effective, proportionate and dissuasive" - the Information Commissioner’s Office (ICO) can administer (administrative) fines of up to 4% of global annual turnover or 20 million Euros - whichever is higher. It is unlikely that we will ever see a maximum fine, in fact fines are likely to be a last resort, though there are other penalties (such as the enforcement of corrective measures) and liabilities (for example the right for any person who has suffered as a result of an infringement to receive compensation) that need to be understood.

One should also consider the reputational damage that would likely result from the publication of a breach.   

Achieving compliance will take time and money, but if managed correctly there are steps that present opportunities and can be linked to other business objectives that provide a return on investment. 

A Strategic Initiative

The GDPR needs to be dealt with at board level. The accountability principle and the fact that it’ll have an impact on all areas of the business should facilitate this. Once you accept that the GDPR is a “boardroom issue” and deem it to be a strategic initiative, it becomes an opportunity, an opportunity to ensure that your business is fit for the digital age. As part of the process you’ll help to future-proof your products and services and gain competitive advantage - particularly if you are one of the first in your sector to achieve compliance.

GDPR compliant businesses will want to work with other GDPR compliant businesses (particularly now that under GDPR, Data Processors share liability with Data Controllers), they’ll need to know that their suppliers (and in some cases clients) are GDPR compliant… in fact, there’s a good chance they’ll want to know that the whole supply chain is compliant. And perhaps equally as important is the fact that consumers are about to become much more aware of their rights as “data subjects” - yes, the ICO is planning to run a campaign to educate consumers on their new rights.

Personal data is arguably “your” most important asset, look after it - organisations are now more akin to custodians or guardians of much of the data they hold, not owners - and use compliance to drive business. If there are “fly-by-nights” in your sector who refuse to align with the GDPR, there’s a chance they won’t survive long once awareness of the new legislation is widespread.

Don’t get bogged down in the details

Resist the urge to dive into the text on day one in an attempt to understand and interpret every article, to then try to use the articles to drive the project. Instead, gain a good general understanding (perhaps paying particular attention to the 6 principles (Article 5) and the ICO’s “12 steps to take now”) and use that to shape a data governance programme (consider appointing a data governance board comprising representatives from a cross-section of stakeholder groups if you haven’t done so already). A good data governance programme will naturally address large parts of the GDPR, see the articles as more of a checklist for checking on the progress/success/GDPR alignment of your data governance programme.

The Human Element

Unfortunately, the term “data subject” makes it easy to forget that the GDPR puts people (your customers for example) back in control of their personal data, start to think strategically about the GDPR by asking questions such as:

• How can we improve the customer experience whilst ensuring transparency and building trust?
• How do we ensure our customers see the use of their data as a benefit?
• How do we avoid incidents that could lead to reputational damage resulting in our customers going elsewhere?
• How do we ensure our employees understand the consequences of getting this wrong?
• How do we win new customers through transparency and trust?  

The answers to questions like those above can be used to form part of your GDPR strategy, that way the human/customer element won’t get lost during your journey to compliance.

Opportunities Aplenty

The regulation is far reaching and the opportunities it presents are therefore wide and varied. The number (and type) of potential opportunities is dependent on many things including current organisational maturity and particularly the maturity of any existing data governance initiatives (and level of compliance with the current Data Protection Act). Whilst organisations that lack maturity will have more work to do, there’ll be a greater scope to identify opportunities and reap the benefits along the way.

Get to know your data

As you get to know your data better (particularly how it flows through your organisation) you’ll start to realise how revealing the process can be, to some the data mapping exercise is a revelation and they use it to review their customer journey and improve business processes, this can also happen quite naturally as you look to reduce risk by minimising the number of data touch points and software applications in use within the business - this consolidation exercise should lead to leaner processes and in some cases, significant cost savings (think licensing, storage costs and operational efficiency).

Clean up your data

Many organisations have only ever accumulated data over time and have done very little in the way of data cleansing - it’s not unusual to see businesses delete the majority of the personal data they hold as part of an initial cleansing exercise. This might sound severe, but if the data lacks legitimacy under GDPR (think back to the original purpose for which the data was collected and how long it’s been since you’ve been in contact with the data subject) then getting rid will instantly reduce risk (it’s a high value, low cost, quick win), the less you hold, the less you have to worry about, though please seek expert advice before pressing that delete key as it’s sometimes possible to re-engineer and/or re-permission the data to restore/retain legitimacy. Please also be sure to check your data retention policy, you may have to hold on to the data for other reasons/regulations - if you don’t have a data retention policy, then that is one of reasons why you ought to appoint a data governance board.

Manage your data

The GDPR will force many organisations to make big improvements in the way they collect, store, use and delete data, some will make their first foray into PIMS (Personal Information Management Systems) or even MDM (Master Data Management) as a result. Integrating PIMS or MDM isn’t essential but, for those who are struggling to know where to start, such a system could provide a solid foundation for implementation and help to pull everything together.

Many of the benefits that emanate from a GDPR alignment programme will come from improved records management / data minimisation / better data quality, they include:  

• Reduced risk exposure
• More efficient marketing campaigns and customer service
• Improved operational efficiency
• Better and more profitable business decisions
• A better understanding of customer habits

Govern your data

And here we are, back at data governance. Commit to data governance and use it to form a holistic approach to data security, privacy, and related compliance obligations such as the GDPR. Do it well, embrace the GDPR and your efforts will be rewarded.