We live in a data-driven era. In the past two years alone we have produced more data than in the entirety of the earth’s existence. This explosion of data provides businesses with a huge opportunity to deliver greater services to customers, as well as drive efficiencies and increase productivity. That said, with opportunity comes responsibility, and the exploitation of personal data now dominates the business news agenda. You need only look back at the news headlines to encounter countless examples of big name businesses that have been victim to a data breach – examples ranging from the infamous Ashley Madison scandal, through to telecom giant TalkTalk. As this threat to data has increased, the legislation of data protection has evolved. The birth of the European Union’s General Data Protection Regulation (GDPR) is a key outcome of this. A milestone in compliance regulation, labelling this as a game changer does not go far enough. However, despite its importance – and with less than a year to go – there remains a disturbing level of misunderstanding, writes Keith O’Leary, principal consultant, Sungard Availability Services.
What exactly is GDPR? The European Union recognises, and places great importance on the following:
(1) The right to private life as a universal human right and
(2) The right to have one’s personal data safeguarded as a distinct, standalone universal human right.
It is by attaching rights to an individual’s data separately to the right attached to an individual, that the EU can demand EU-grade data protection standards on businesses in other countries. The GDPR impacts any business within the EU, regardless of vertical, business size or jurisdiction. Given the importance that is placed on an individual’s data, the legislation also applies to any business that deals with the data of any EU citizen. Given this extra-territorial impact of the law, a great deal of organisations around the world will come within scope of EU data protection laws for the first-time, as of May 25, 2018.
What will it do?
The various components of the regulation are fast and far reaching, but key rules that will become enforceable are as follows:
Ensuring the appropriate authorities are notified of a data breach within 72 hours. A fine of 2pc of global revenue is enforceable if this has not taken place. A fine up to 4pc of global revenue or 20 million euros (whichever is a higher value) for intentional or negligent violations. Depending on the nature and severity of the data breach, companies may also be forced to disclose details of the incident to customers.
As outlined, huge financial and reputational consequences are at risk if you don’t comply. Unsurprisingly, the media has honed in on this, with the strain this will place on businesses a well-sung verse. What is less widely publicised is the positive impact this legislation will have on businesses, and the opportunities it affords. The GDPR is designed to better facilitate business across the largest digital market – whether that’s keeping the door open for organisations to do business with the 440 million people within the EU, to maximizing the value of data whilst also protecting it. A correct implementation will help businesses:
manage data privacy risk
implement good records management practices
streamline business processes
increase resilience
benefit from cost savings
benefit ultimately from a more competitive market position.
To take advantage of these opportunities and mitigate risk, senior management need to champion GDPR as a key strategic initiative. With less than a year to go, the worst thing your organisation can do is nothing. A simple three-step process towards GDPR compliance includes:
COACHING
Attaining GDPR compliance is approximately 1 percent technology implementation and 99 percent change management, because it impacts both the people and processes across your organisation. Keeping focus and remaining on schedule can be hard — especially since people resist changes in how they perform their jobs.
PROGRAMME MANAGEMENT
From implementing your programme to sustaining it over the long term, you should partner with a provider that can help you meet compliance timelines and goals, so you can focus on other IT and business initiatives. From the outset of your programme planning, to regular review points on an agreed-upon or ad hoc basis, you should have this support to achieve GDPR compliance.
PRIVACY IMPACT ASSESSMENT
A Privacy Impact Assessment provides a structured process to help you identify the most efficient way to comply with data protection regulations. It should include an evaluation of information flows, privacy-related risks and potential privacy solutions.
Like it or not, GDPR is on its way and – while a substantial task – sticking one’s head in the sand is a one-way ticket to not only be left behind, but be out of the game entirely. The GDPR is a modern legislation, designed for a data driven age. It will be vital for businesses of all sizes, sector and reach, and is not something our industries can ignore.
