You have probably heard the distant drumbeat of GDPR and the shock headlines of “over 92% of businesses have not prepared for the upcoming GDPR legislation”. Well, whether you’re ready or not, GDPR is coming.
This new legislation will kick in on May 2018, and it has raised some eyebrows due to its somewhat stringent rules and the hefty fines it carries for companies that don’t take adequate measures, especially for global companies (up to 4% of annual turnover or 20 million Euros, whichever is greater). But if adequate preparation is made by companies in their approach to people’s personal data then this shouldn’t become an issue. If they prepare themselves.
It tends to be overlooked that GDPR is a European ruling that has an impact on any business that deals or handles any European citizen’s personal data. So in Europe, although GDPR is gaining momentum with businesses looking to comply, outside of Europe it seems that international companies are hardly paying much attention to this. But this piece of legislation affects any company that deals with European citizen's personal data whether they are in the European Union or not.
Although there have been many discussions about specific aspects to this legislation, like the Right to be Forgotten, the major challenges facing companies is understanding their own data and knowing where it is, so as to be able to comply. There is a vast difference in what a company thinks what its data is, and where it is housed, and the actual reality. This is not a matter of having a checklist to tick off so that it can be determined whether a company is compliant. It is also a matter of knowing how to handle the data as well. The company has to look inwards at its culture and make sure its employees understand the implications of handling personal data, for example copying it onto external media or sending it in an email to someone who should not really have this information. Addressing this at grass roots level should form part of a company’s education to its employees and their protocols.
There are several market sectors, like the financial services sector, that have been regulated already, and because of this may have a tougher time complying with GDPR. But the nature of their business places a financial value on their data or intellectual property so have previously invested in their security. The fact that their data holds some monetary value will also mean that they have invested in applying processes towards their storage and data handling which puts them in a better position to tackle any security breaches should they happen.
Because GDPR is new, it is also an unambiguously explicit and direct piece of legislation. It would be interesting to see how certain parts of it will be interpreted as a matter of practice over time. One of its many stipulation is that individuals must give ‘explicit consent’ for the use of their personal data. This is a grey area and can be interpreted in different ways. This will affect the way certain departments, like marketing, handle and use data, as they have historically been quite regardless in this matter. For companies that generate revenue in collecting and selling data, this has disastrous consequences and could put them underground. Other industries, like social media companies, will have to possibly re-think their agreements with individuals in the way they hold their data. For other companies, as long as some thought is put behind preparing the business on how to handle and legally defend themselves in these grey areas, then they should have little to worry about.
The GDPR legislation is aimed at businesses to show that Europe takes the matter of privacy seriously, but what about the individuals themselves? People can be nonchalant about their own data and who they share it with. Evidence of this is the fact that people share passwords across multiple sites, and that they don’t bother reading their terms and conditions before signing up because they are too long, boring and and difficult to make sense of. Also some are quite willing to give their personal data away for goods and services. The reality is that many people will never invoke their ‘right to be forgotten’ because they may not even know they have that right. Even if they do know, many won’t be bothered and use it only if they have a gripe with the company.
GDPR will be a force for good in the long term, and will force businesses to be less cavalier with personal data and hopefully make more effort into not agitating their customer base. It won’t hinder businesses as long as they take the time to plan and execute their control of their data.
So, I hear you cry, what is a good starting point to prepare a business for GDPR?
Businesses should start to think seriously now about GDPR, well before it becomes enshrined in legislature as it will be a lengthy task to implement and for some, a painful one also. They should understand its impacts on their business especially if its a global one, have clarity of their data and understand the way they handle European citizens’ data. GDPR will highlight to EU citizens the data that a company holds, which may lead them to want more control of and access to their own data. For companies who don’t give this legislation due thought and implement actions to create a robust and comprehensive data policy, they will face a tough time ahead. The time to prepare is now.