Last updated: 21 June 2016
Quite a few articles have already been written about the European Union’s new privacy legislation – the General Data Protection Regulation or GDPR, as it’s known to its friends (although if you’d read many of those articles you wouldn’t think it’s got that many UK pals).
There is sometimes a grudging acceptance that harmonisation across Europe will provide some benefit, if only to multinationals operating in a large number of countries, but far greater emphasis is put on the difficulties the new legislation presents to businesses.
In this blog I’m going to argue that there is another side to the coin.
I don’t deny the challenges that the regime will provide for many companies, from increased transparency to the accountability principle.
There are going to be cultural, as well as organisational challenges which companies will have to meet. It’s not going to be easy to embed privacy by design and default, let alone the Data Protection Impact Assessments that will have to be put in place. Many operational and product design teams will suddenly become all too aware of data protection and its implementation, whilst hanging overhead, like the glinting blade of the guillotine, will be a fine of up to 4% of global turnover.
Despite, and in some instances because of, these constraints I do believe it will be possible to gain competitive advantage from the strictures that the GDPR will impose. However to gain this benefit an organisation will need to take a more strategic approach to both privacy and data management than many have ever achieved before.
So where can these advantages come from?
The answer of course lies in the personal data itself. I’m sure you’ve heard the now overused phrase “data is the new oil”; the problem is that many companies have been taking the data in its raw form and trying to use it without the pesky cost of refining the stuff.
For data analytics to work at its true potential the data you need is clean data: data that is up-to-date; data that’s accurate; data that’s relevant; and when it comes to personal data, you need its use to be acceptable to each individual.
In years gone by the marketing department often measured its prowess by the size of its database, but rather like the executive that could gauge his success through the depth of his carpet, I think those days are over. Clean data means clearer profits.
Many of the principles that would assist in refining data already exist under the present directive: data minimisation; accuracy; storage limitation. They haven’t changed much in the GDPR, a little tweak here, a small tightening there, but the enforcement mechanisms have changed dramatically.
As part of that increased transparency companies will need to tell their customers what purposes they’ll be using their data for, and far more scarily, how long they will keep it for.
When I raise the issue of Records Management in organisations from the public sector to high tech start-ups, eyes tend to drift down to shoes, to the corner of the room, or indeed anywhere that will avoid my gaze. Records Management is to most companies what cleaning their teeth is to many teenagers. Something they know they should do, but only get round to when chased by a grown-up.
Yet without this basic building block of data cleansing our systems are increasingly clogged up with out of date or inaccurate, and frankly often useless data.
But how can this be built into a competitive advantage? Surely if it applies to all companies then no one will be able to get ahead of the competition?
The point here will be not whether one has to do it, but the efficiency and the mechanisms employed.
Some of course will bumble along in the hope that it never gets noticed, that they won’t be hacked, their customers don’t care, or that the regulator will never come calling. But effective Records Management could have an impact on an organisation way beyond the data protection regime:
- timely customer interactions
- reduced storage costs
- less wasteful marketing campaigns
- lower security risk
- lower likelihood of regulatory intervention
All are quite achievable but will only work as part of a cohesive data strategy involving a realistic assessment of the data you have, the data you need and the most effective use of it. But before these advantages can be attained a more fundamental question needs to be addressed: can we keep it safe?
The GDPR’s emphasis on data security
Security is another principle maintained from the directive, although it is now called integrity and confidentiality. On an initial view apart from the name, not a great deal has changed, the language around the security of data has been maintained as “appropriate technical and organisational measures”.
The phrase gives little guidance, but also great freedom for interpretation. However, as ever, the devil is in the detail, further into the regulation a new section is introduced which emphasises the risk-based approach that the Council of Ministers was keen to introduce “taking into account the state-of-the-art, the cost of implementation and the nature, scope, context and purpose of processing as well as the risk of varying likelihood and severity”.
That’s quite a long winded way of saying, it’s up to you guys to decide how you want to deal with this, but if you get it wrong we’ll be coming down on you like a ton of bricks. And don’t forget the mandatory data breach notification that is included in the article of the regulation which follows.
Combined with the fines, remember them? Four percent of global turnover? It provides quite an incentive to get your security right, but as this will apply to all, again can anyone gain a competitive advantage from it?
I believe it will be possible, but only as part of that overall strategic view of the significance of data inside the organisation.
Let me give you an example. When the files hacked from the Panamanian law firm Mossack Fonseca first arrived in the inboxes of journalists across the globe I suspect a trickle of sweat ran down the spines of a large number of our more “inventive” professional services firms. For them suddenly the question will not have been “what is the cost of encryption?” but what was the cost of not implementing it?
However, I think this should also be true for firms who have more everyday clients. Law firms by their very nature will often be holding the crown jewels of a company’s data, yet I doubt if their information security practices and policies are often analysed in any depth when their legal expertise is being selected.
If you look into the near future, a major corporation is looking to refresh its panel law firms, I would be very surprised if one of them won’t be emphasising its increased levels of security and that this will suddenly become one of the factors that could clinch the deal.
Using the GDPR to establish trust
Ultimately taking the GDPR seriously and implementing its regime in a structured and effective manner will provide a prize that has, to date, eluded many of the major players online. Trust. The online world is by its very nature opaque; you cannot be certain, as the reader of this blog, precisely who has written it. So you have to start relying on other information you can gather.
For example, this blog is hosted on a Gemalto website; they specialise in security, so their website is going to be well defended. Some of you may have encountered me as a writer or presenter and think it likely that I am the author, as this article develops themes that I have spoken about before. So you’ll probably conclude the blog is valid.
However we all know that this “trust” is not automatic for much of the information on the Internet. Yet we all use it, despite the fact we are not convinced of its trustworthiness.
Unfortunately for commerce this nervousness about who people are dealing with is increasing as stories of phishing and Internet fraud abound. But this very nervousness provides a market opportunity, one which companies like Gemalto will offer to help fill with products like encryption and access security.
At first sight the GDPR just becomes a simple regulatory pressure on companies to do the right thing. But I believe that for those who can invest in, and more importantly truly demonstrate, high levels of security, there may well be a greater prize.
The possibility of creating an environment in which their customer’s trust is reflected, not just in a warm glow, but in the bottom line as well.
This post was provided courtesy of guest blogger James Leaton Gray, Director at The Privacy Practice and previously Controller, Information Policy and Head of Information Policy & Compliance for BBC. Connect with James on Twitter via @JamesLeatonGray.