When the General Data Protection Regulation (GDPR) was introduced, it was the largest piece of data regulation ever passed by the European Union.
GDPR is important because it improves the protection of European data subjects’ rights and clarifies what companies that process personal data must do to safeguard these rights.
All companies and organisations that deal with data relating to EU citizens must comply by the new GDPR.
Most companies are processing some personal data on a regular basis. The GDPR has severe implications for non-compliance – the consequences could be heavy fines and a damaged reputation. GDPR allows for massive penalties of up €20m or, if higher, as much as four percent of global revenue.
Within the broader context of data protection regulations, Europe has had laws covering data protection for over four decades.
The Data Protection Directive (1995) helped define rules on information management. However, these directives were not fit for purpose with the digital age and something else was needed to deal with the modern digital needs of businesses and processes.
In January 2016, it was calculated that over 510 million people live in countries governed by the European Union – more than one-and-a-half times the population of the United States
Previous laws were also limited in their scope, penalties were often weak and individual EU countries went their own ways in interpreting the Directive.
GDPR was implemented as it harmonises rules across EU member states, rather than leaving each member state to fend for themselves as was previously the case.
In January 2016, it was calculated that over 510 million people live in countries governed by the European Union – more than one-and-a-half times the population of the United States. This shows the scope of the directive and how important it was to implement a cohesive regulation.
It is also important to note that GDPR needs clear consent: this is, data held on subjects must only be used for the purpose agreed. The definition of that data is very broad and can include not just names, address, emails and telephone numbers, but also social media updates, pictures and IP addresses.
The need for data protection has never been so great. Almost all organisations today will be sitting on customer data and employee data.
Data in the web era is used to market to us based on our search histories, transactions, preferences and interests. Organisations can also mine data for defensive purposes, for example to spot behaviour that is indicative of fraud or other criminal behaviour.
Irresponsible and reckless use of personal data has already been brought into the full glare of the public spotlight and there is a growing awareness of how data is used (and sometimes misused)
GDPR could also be seen a catalyst for change within organisations as the act of putting new data management structures in place and revising workflows creates efficiencies and a platform for data-driven insights.
GDPR might appear a purely defensive measure but it could also act as a stimulus for broader change and could create business opportunities.
The implementation of GDPR good practice within businesses is not just a quick fix but with new processes in place and more robust data platforms, organisations will be better able to mine their data and decades of experience. Some forward-looking organisations will work on GDPR alongside wider digital transformation projects across websites and apps that reinvent the company, its brand, ways of doing business, and transacting.
Taking the right steps
By acting now and putting in place the right tools and processes, GDPR will become manageable and the actions taken to comply will lead to a competitive advantage, enhance reputations for best practices, and will act as a platform for better data insights
An obvious starting point is to conduct a full data audit with a gap analysis and review of processes and workflows, under what is termed a Data Protection Impact Assessment (DPIA).