GDPR – too restrictive, or a force for good?

By Mohsin Khan | October 31, 2017 | Categories: Blog | Tags:

By Mohsin Khan

Given we live in an increasingly data-driven world, it’s only right there should be stringent laws to help protect that data. But for organisations, the fast-approaching deadline for compliance to the European Union’s General Data Protection Regulation (GDPR) represents a significant change management challenge. GDPR, which comes into force on 25th May 2018 and replaces the Data Protection Directive of 1995, aims to protect all EU citizens from privacy and data breaches.

Companies will need to reassess and re-calibrate their policies, processes, technologies and cultures, as they strive to comply with key changes around consent, data erasure, data breach notification and data portability. With the clock ticking, having a clear plan in place is vital, particularly in light of the UK Information Commissioner Elizabeth Denham’s recommendation last October, that company directors should be held personally liable for any breaches of data protection law.

Prevention is better than cure and good preparation helps businesses avoid data breaches by establishing and eliminating vulnerabilities. But can GDPR adherence be more than just another onerous regulatory task? Can GDPR compliance add value to a business, rather than simply shield it from fines for non-compliance?

Many see the regulation as being a threat to existing business models or an obstacle to innovation, but perhaps GDPR ought to be seen as an opportunity for organisations to turn rigorous information governance to their advantage. So how can GDPR adherence be a force for good?

  • Cost reduction: with good GDPR gap analysis, firms may find they need to streamline their operations, something that often results in reduced costs.
  • Insight: by mapping their data and really understanding it, there is the potential to unlock the insight to breed new lines of products and services.
  • Better customer experience: GDPR compliance can facilitate the focus on achieving increased customer-centricity and increased customer trust, leading to an enhanced customer journey.

Of course, it’s not just about the carrot, the benefits GDPR adherence can bring to your business. It’s about the stick and what befalls you, if you fall short. Penalties for non-compliance are huge, with a maximum fine of 20 million euros — or four percent of global annual turnover (whichever is highest) — for the most serious violations of the regulation, such as processing customer data with insufficient consent, or infringing the core of Privacy by Design concepts.And it’s a complex landscape. The laws apply to both ‘controllers’ and ‘processors’ of data, meaning cloud computing is not exempt.

The new data breach rules make it mandatory for controllers (i.e. the cloud computing clients) to notify the supervisory authority within 72 hours of a breach being identified, putting a strict deadline on incident management. With massive fines lurking, the importance of having the correct reporting processes in place, cannot be overstated. Added to that, the goalposts will constantly be changing — next year’s deadline is not the finishing line. New guidelines will continue to be issued as good practice starts to develop.

Clearly, the path to GDPR compliance is multifaceted and a holistic approach is necessary. But although compliance is an on-going endeavour, it has the potential to add far more value than at first glance.