It’s time to start thinking about GDPR

You have probably heard the distant drumbeat of GDPR and the shock headlines of “over 92% of businesses have not prepared for the upcoming GDPR legislation”. Well, whether you’re ready or not, GDPR is coming.

This new legislation will kick in on May 2018, and it has raised some eyebrows due to its somewhat stringent rules and the hefty fines it carries for companies  that don’t take adequate measures, especially for global companies (up to 4% of annual turnover or 20 million Euros, whichever is greater). But if adequate preparation is made by companies in their approach to people’s personal data then this shouldn’t become an issue. If they prepare themselves.

It tends to be overlooked that GDPR is a European ruling that has an impact on any business that deals or handles any European citizen’s personal data. So in Europe, although GDPR is gaining momentum with businesses looking to comply, outside of Europe it seems that international companies are hardly paying much attention to this. But this piece of legislation affects any company that deals with European citizen's personal data whether they are in the European Union or not.

Although there have been many discussions about specific aspects to this legislation, like the Right to be Forgotten, the major challenges facing companies is understanding their own data and knowing where it is, so as to be able to comply. There is a vast difference in what a company thinks what its data is, and where it is housed, and the actual reality. This is not a matter of having a checklist to tick off so that it can be determined whether a company is compliant. It is also a matter of knowing how to handle the data as well. The company has to look inwards at its culture and make sure its employees understand the implications of handling personal data, for example copying it onto external media or sending it in an email to someone who should not really have this information. Addressing this at grass roots level should form part of a company’s education to its employees and their protocols.

There are several market sectors, like the financial services sector, that have been regulated already, and because of this may have a tougher time complying with GDPR. But the nature of their business places a financial value on their data or intellectual property so have previously invested in their security. The fact that their data holds some monetary value will also mean that they have invested in applying processes towards their storage and data handling which puts them in a better position to tackle any security breaches should they happen.

Because GDPR is new, it is also an unambiguously explicit and direct piece of legislation. It would be interesting to see how certain parts of it will be interpreted as a matter of practice over time. One of its many stipulation is that individuals must give ‘explicit consent’ for the use of their personal data. This is a grey area and can be interpreted in different ways. This will affect the way certain departments, like marketing, handle and use data, as they have historically been quite regardless in this matter. For companies that generate revenue in collecting and selling data, this has disastrous consequences and could put them underground. Other industries, like social media companies, will have to possibly re-think their agreements with individuals in the way they hold their data. For other companies, as long as some thought is put behind preparing the business on how to handle and legally defend themselves in these grey areas, then they should have little to worry about.

The GDPR legislation is aimed at businesses to show that Europe takes the matter of privacy seriously, but what about the individuals themselves? People can be nonchalant about their own data and who they share it with. Evidence of this is the fact that people share passwords across multiple sites, and that they don’t bother reading their terms and conditions before signing up because they are too long, boring and and difficult to make sense of. Also some are quite willing to give their personal data away for goods and services. The reality is that many people will never invoke their ‘right to be forgotten’ because they may not even know they have that right. Even if they do know, many won’t be bothered and use it only if they have a gripe with the company.

GDPR will be a force for good in the long term, and will force businesses to be less cavalier with personal data and hopefully make more effort into not agitating their customer base. It won’t hinder businesses as long as they take the time to plan and execute their control of their data.

So, I hear you cry, what is a good starting point to prepare a business for GDPR?

• Look at and audit your data and ask how much of it is needed to be kept. Apply data cleansing such as removing useless data helps it become less obfuscated which should make the data easier to search and edit. Ensure you understand where your data is stored, how to access it, who has access to it and how best to protect the data. Also understand the value of your data and think of it like an asset. That usually helps motivate in making the right choices.
• Since ‘explicit consent’ is required from Europeans to hold their personal data, it’s time to start planning on how to get their ‘explicit consent’ as soon as possible. Plan on how to communicate this requirement to your customers and how to address any possible concerns. Also make sure on what legitimate grounds you have to hold this data.
• Ensure that employees are educated to create a culture where data privacy and security is taken seriously. This approach to data security and privacy should be instilled into every process as part of its protocol at every level of the business. Follow the path of the data from the moment it enters the company and make staff aware at every level in its importance. This will help your data privacy and security protocol evolve over time.
• Assign someone to take ownership and responsibility with the latest updates concerning GDPR and how it affects the business. Also ensure which role has responsibility for the different types of data whether it is the Data Protection Officer or an outsourcing company.
• Have a system in place to deal with reporting data breaches which includes a protocol for notifying the people affected. GDPR will impose a strict timeline of 72 hours in where people should be notified along with the relevant authorities and what data was breached. This is good business practice anyway and should be implemented regardless of GDPR. Again, if possible, assign a person to become responsible for reporting and instigating the data breach protocol.

Businesses should start to think seriously now about GDPR, well before it becomes enshrined in legislature as it will be a lengthy task to implement and for some, a painful one also. They should understand its impacts on their business especially if its a global one, have clarity of their data and understand the way they handle European citizens’ data. GDPR will highlight to EU citizens the data that a company holds, which may lead them to want more control of and access to their own data. For companies who don’t give this legislation due thought and implement actions to create a robust and comprehensive data policy, they will face a tough time ahead. The time to prepare is now.