How can companies overcome the compliance challenges of the GDPR?
Richard Brearley, head of compliance (EMEA) at Macquarie led our debate on the General Data Protection Regulation (GDPR) which comes into force in May 2018.
The introduction began with an interrogation of the likely impact of the GDPR; is it a significant game changer or does it represent incremental change under a tougher enforcement regime? Either way, it is clear that compliance will be more than an IT box-ticking exercise.
The GDPR is principles-based rather than rules-based legislation, requiring organisations to understand their data, how it is managed and what the risks are. One of the biggest shifts is the emphasis on the rights of the individual which may require a change in approach for many organisations.
Some will embrace this as a means of improving service and reputation, acknowledging that as data protection has become an increasingly important issue for individuals it matters how a company handles that information be that data of staff, customers or suppliers.
Governance and accountability will be critical to effective GDPR compliance, this needs to become a board issue, with responsibility at the top of the organisation. Businesses will need to risk assess their data management systems, ensure that individuals’ rights are protected by investing in appropriate systems and controls, check consents to understand what they can and cannot lawfully process and ensure that a breach management process is in place.
So are we afraid?
The penalties are high which places significant pressure on corporates to get this right. Evidence to demonstrate that adequate procedures are in place to safeguard data is likely to be seen as the biggest burden of the legislation. However, protecting and safeguarding data is really about good business management. The reality is that technology has transformed our ability to hold and process data. The GDPR shines a light on the fact that for many organisations, the management of data is not in line with our technological capabilities to capture and hold information. Businesses need to acknowledge and overcome this in order to manage the transition to GDPR compliance.
So what are the challenges?
- The principles-based approach was cited as a major challenge as there is a degree of interpretation and judgement required.
- Enforcement is also a real concern. There is a little understanding as to how the regulators will enforce the legislation although it was expected that the Information Commissioner’s Office will be looking for the opportunity to prosecute a ‘rogue’ organisation to demonstrate that it has teeth and is taking the regulation seriously.
- The emphasis on evidence, it was feared, would add complexity which could put the focus on creating a paper trail rather than investing in robust data management systems and procedures.
- There was some scepticism about how much data privacy means to UK consumers. If UK consumers are unconcerned about how their data is utilised, the new law could mean significant investment in systems and controls for no business benefit. The cost of transferring data on request could be a financial drain on companies.
- Could this be a threat to freedom of speech? Could important documents from archives be removed under the right to be forgotten making it harder to hold people to account?
- The UK government will have the right to ask for certain derogations which are as yet unknown, adding a layer of uncertainty to preparations.
- Data bases could be significantly reduced as organisations seek to comply with the new regulations around consent, purpose and lawful processing.
And what are the opportunities?
- GDPR provides companies with an opportunity to build customer trust in their business which could improve sales and business performance.
- It will contribute to raising business standards, becoming central to how a business operates and resonating with brand values.
- It will help drive consistent practice across borders creating a more secure environment for transferring data which will increase opportunities for doing business. It provides greater legal harmonisation, removing some of the complexities of geographical variations in law.
- Employing robust data management practices can be utilised as a means of improving customer service, which can provide an advantage.
- It presents an opportunity to clean up the data held so that businesses can communicate with customers in a more effective and targeted manner, which can help drive sales.
- GDPR represents progress in data handling, most companies have the skeleton in place, the legislation will be the driver for moving this forwards and improving data security and data handling.
- Taken seriously, this should become a board issue which should ensure that effective resources are put in place to build strong systems that can help businesses realise potential business benefits
- Understanding data thoroughly provides businesses with a means of knowing their staff and customers which represents an opportunity for improving how they do business which can be used to competitive advantage.
Some businesses called for a co-regulatory approach with trade bodies writing operational rules by sector that would have the regulator’s approval. Trade body involvement would also create the opportunity to share best practice within sectors?
Culture will also be important to compliance success, particularly when it comes to evidencing privacy by design.
For many, GDPR compliance was seen as an opportunity to stress test existing procedures to make sure they are fit for purpose; it is more about improving what is already in place.
Effective GDPR compliance will be about ensuring that organisations have adequate procedures in place to mitigate data privacy threats and demonstrate a committed approach to data protection that, by design, respects and prioritises the rights of individuals. This is likely to be best achieved when embraced as part of corporate culture; a demonstration of how the organisation conducts its business.
GoodCorporation’s Data Protection Framework can help businesses risk assess their data management procedures, providing a gap analysis that identifies strengths and weaknesses and assist with the development of an action plan to improve existing processes so as to be ready for GDPR.