GDPR by design: The operational impacts of the new legislation
In just 10 days the GDPR comes into force, many organizations are looking at the compliance deadline as just that: a deadline. But 25 May 2018 is only the beginning for GDPR.
The media coverage surrounding GDPR has been largely on financial impact, with experts from various industries highlighting the penalties and the challenges faced around reputational damage. Aside from scaremongering, the C-Suite’s focus has understandably been on achieving compliance by the deadline, but less discussion on the ongoing operational impacts of the GDPR.
Day-to-day business operations
Following the deadline, organizations need to ensure that their data processing activities are aligned with the data protection principles set out in the GDPR. Organizations must pay close attention to the principles of transparency and data minimization while implementing new data processing activities.
The principle of data minimization means that organizations only process the minimum amount of personal data necessary. This represents best practice, for maintaining customer trust whilst reducing the risk of unauthorised access to the data and potential security threats.
GDPR also introduces a requirement for a lot of organizations to appoint a data protection officer (DPO). The DPO’s job is to monitor internal compliance and inform and advise on an organization’s data protection obligations. The DPO must also provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects. A DPIA helps organizations identify, assess and minimize privacy risks with data processing activities. This is applicable for all legacy processes and systems as well when a new data processing process, system or technology is being introduced. This implies GDPR needs continuous attention for organizations.
The reason proving compliance is so important that if an organization is hacked, demonstrating compliance shows that the company took precautions to prevent a breach of data and this can help to save them from a fine.
Benefits of GDPR
Despite the GDPR’s strict requirements and operational changes, there will be benefits to organizations beyond compliance. Following the Facebook/Cambridge Analytica scandal, data protection awareness is rising amongst consumers, and subsequently consumer trust is decreasing.
A ForgeRock survey found that 92% of global consumers say they want to control what personal information is automatically collected and 74% are concerned that small privacy invasions may lead to a loss of civil rights. The benefits of the introduction of a uniform legislation is increased transparency which will build trustworthy, GDPR-compliant relationships with consumers.
This means GDPR can also act as a competitive selling point. Third-party non-compliance can leave a company liable to penalties, so businesses will only be interested in doing business with other organizations that can demonstrate effective control over their data.
Increased efficiency and costs savings can be achieved if compliance is met too. According to a study by Veritas, 85% of all data stored by companies is considered redundant — and the cost of server space and time for managing this data is immense. A motivation to maintain compliance should come from a desire to operate more efficiently, to reduce costs associated with data storage, and to create a competitive advantage by processing customer data more effectively.
Privacy and security by design
Privacy and security are two different aspects of the GDPR. Privacy and security by design was formerly considered to be a best practice but is now a mandate, meaning that privacy must be embedded in every step of each process. Most of the C-Suite has so far spent time and money protecting the perimeter of their organizations, focusing on security processes rather than implementing an equally privacy focused approach.
Organizations need to develop a framework that can be used by IT to incorporate privacy best practices by design and by default. This means that business leaders need to ensure future innovations and investments in areas such as Cloud, IoT, and Blockchain are discussed with implications for security and privacy compliance. A key challenge for the C-Suite has been building upon the security investments they’ve made in the past.