This September we are a supporting sponsor of the DMA’s Data Protection 2018: Beyond the GDPR- a forum to discuss the impact of the GDPR since it came into law and what it means for the future.
We are keen to support conferences like this because – as data specialists and consultants – we know how difficult it can be for many businesses to devote the resources and time needed to comply with data and privacy regulations. We recognise the danger of getting things wrong and can see how much uncertainty still surrounds the GDPR, particularly in the SME sector.
The hype, hope and confusion around the GDPR
The GDPR came into place to provide more protection for consumers in today’s data led world. It was created to reflect the changes in technology, the internet and personal data usage since the 1995 EU Data Protection Directive, as well as align Privacy and Data Protection standards across Europe.
As Elizabeth Denham, UK Information Commissioner at the ICO noted, the regulations were about driving cultural change and greater accountability among organisations in how they gather, store and handle personal data.
The GDPR is open to many interpretations and in the run up to “GDPR day” there were those who did not help the confusion. Scaremongering and unreliable information were used to sell software or services, clouding valuable advice and presenting a negative view of GDPR. Focus was placed upon the potential high fines, matters of consent and the idea that the GDPR would be damaging to business and marketing. This was frustrating for the many ‘genuine’ professionals and organisations trying to help businesses comply, including ourselves and the ICO.
We saw a lot of reconsent campaigns being run, even when there was no legal necessity to do so. There was a lack of consistency in critical areas such as Privacy Policies, Information Notices and Consent Statements. Many SME businesses we spoke to were convinced the GDPR ‘didn’t apply to them’ because they were too small.
GDPR, where are we now?
Four months on and there is still an amount of uncertainty among businesses about what they should be doing to comply with GDPR. This lack of understanding is holding back businesses in several ways. Some are overcompensating, taking unnecessary precautions which stifles their ability to use vital data to grow their business. Others are far too lax on implementation or are taking bad advice and risk significant fines.
Many of those GDPR ‘experts’ who shouted so loudly before May 25th, have gone very quiet.
At Xynics, the most common ‘pain points’ we’ve seen in client organisations are:
- Uncertainty about what was needed to become or remain compliant
- Concerns around obtaining data and its use in future marketing
- Cost of implementation and fear of fines for non-compliance
A common oversight by businesses is that each needs an individually tailored approach. All businesses are different and a ‘one size fits all’ approach is not always the best solution.
The GDPR is a risk-based approach to data protection and the complexity of compliance is proportional to the size of the business. Smaller businesses will inevitably have simpler processes with less associated risk than larger businesses (that may have lots of employees, less unified teams and a far more complex and higher risk profile).
Our knowledgeable and experienced team of data professionals, alongside our Data Protection Practitioner, examine every aspect of an organisation’s data flows, processes and objectives. We align these with relevant legislative requirements and build the bespoke data strategy and processes that balance privacy and data protection with business objectives.
What next for GDPR?
Time will tell how exactly the GDPR will shape the business landscape. As the ICO and other European regulators enforce the new regulations, there will be valuable ‘interpretations’ and learnings to take on board - as well as appeals and legal judgments by the courts, which will set precedents and lead to potential changes in the regulations. There is also new legislation forthcoming, such as the ePrivacy regulation that aligns with the GDPR and will further impact on business processes.
For now it’s critical that businesses realise the GDPR is an ongoing commitment. In practice, a fundamental objective to maintaining compliance is understanding (and documenting) the flow of data throughout the entire business – from initial collection to disposal.
Only then can a business visualise the full lifecycle of data, build a ‘single customer view’, know where in their business any data might be held or used, and assess the potential impact upon the business of changes in processes or objectives.
As an organisation grows larger, the importance of having a champion of Data Protection is more prevalent. This is where the formal role of Data Protection Officers originates: a single person or small team, internal or external (through companies like Xynics), whose sole responsibility is ensuring the organisation’s compliance. Think of them like a conductor working with the orchestra of your business – guaranteeing everyone is playing the same tune.
Data is one of the most valuable assets an organisation can have. Taking responsibly for data protection and embracing the principles of the GDPR help you to build confidence with the individuals who entrust you with their data and ensures databases are not cluttered with old, inaccurate or irrelevant data – making the data you do keep more accurate and more effective.
Those organisations that get things right do far more than simply adhere to new regulations, they gain a competitive advantage and position themselves as a company that respects the privacy of its customers. The latter point itself may ultimately do much for the positive reputation of your company among customers.
There’s no doubt getting things right for the GDPR takes investment and hard work, but the long-term payoffs can be significant and lead to genuine business benefits.