2018 was a big year for businesses and their responsibilities towards personal data. High profile political discussions on the use of personal data by social media giants and search engines, cast an unflattering light on the privacy strategies of some of the world’s leading operators, and, along with new legislation, such as the GDPR, brought the debate on data usage not just into the public domain, but also into the minds of organisations, large and small.
A climate of interest and obligation has manifest as a result. An environment where support for tougher safeguards with respect to protection of data is growing, not just in Europe but in countries such Argentina, Brazil, India, Japan and the US – where a Federal Data Protection Law is now under serious consideration.
Supervisory authorities – the bodies that enforce the legal frameworks at a national level – have risen in prominence, too, with recent legal proceedings in Germany and France against negligent and non-compliant organisations, the publishing of a ‘fining policy’ in the Netherlands, and broader, pan-European action against major organisations, exemplifying the seriousness with which regulation is being treated and enforced.
For many, across Europe, the transition to the new baselines has proved challenging – with surveys, carried out by TechPro, the Federation of Small Businesses, and Trust Arc in April and November 2018 revealing the ill-preparedness of operations. For example, they found that just 15% of multi-national organisations were ‘GDPR-ready’ ahead of May 2018, and that, for SMEs, the figure was even more depressed, at 8%. They also revealed, six months later, that that, while some work had been done, compliance rates were still some way off, at 35% and 20% respectively.
There has, however, been an upswing through the early part of 2019 – with a recent CISCO survey putting the UK-operator figures for GDPR compliance at a much healthier 69% – and it seems businesses, now, are beginning to see the benefits of privacy investment more clearly in the form of improved protections against data breaches, increased operational efficiency and alignment with new technologies, and reduced sales delays.
The reality is dawning on many that data protection and privacy investment are here to stay, and that this work is not simply compliance for compliance sake.
There are real opportunities and rewards to be had – and, below, I have set out 5 areas where I believe compliant operations will see immediate, and long-term, returns on their investment.
The GDPR requires organisations to implement an appropriate level of security to prevent data loss, information leaks and other unauthorised data processing operations. There is no single platform for ensuring data loss prevention, in any business, large or small. Simply put: every business will have multiple platforms where data is processed. So, what the GDPR has done, even for companies that already had strong security in place, is highlight the need for collaborations across business teams, so that everyone knows what personal data is being processed, where it resides, and how it’s being safeguarded. The GDPR can also be used as a platform for discussion about future goals and anticipated requirements, and how security will need to be expanded, extended and/or changed to ensure continued adherence in the event of an upward revision.
Reduced maintenance costs
Although there are initial costs, in the long-run, complying with the GDPR or any other privacy framework, will help reduce costs across organisations by prompting them to retire any data and applications that are no longer relevant to operations. By following the GDPR’s mandate to keep inventories of processing activities up-to-date, businesses can significantly reduce expenditure on data storage by consolidating information that is present in silos or stored in inconsistent formats.
Improved customer confidence
The standout benefit of privacy compliance is the assurance it provides customers. Adherence illustrates a businesses’ focus on data protection, and gives consumers peace of mind that the organisation they’re dealing is likely to have a data protection professional on staff, who will undertake regular audits of data processing activities, and ensure the necessary framework is in place to keep data subjects’ personal information secure. More and more customers are demanding this of organisation that process their data.
Broader, more rapid decision-making
In short, this means the data a business holds will become more consolidated as a result of GDPR compliance, and ensures that it is easier to use, more accessible and that businesses have a greater understanding of its underlying value. This insight gives organisations the opportunity to learn more about its customers, and identify areas where customer requirements are not being met. By using customer information effectively, a compliant organisation will be able to make better decisions and, consequently, get a better return on its privacy investments.
Greater alignment with evolving technologies
As an extension of GDPR compliance, businesses will have to move towards improving networks, endpoint and application security. Migrating towards the latest technologies can serve two key purposes: one, it provides a way to more effectively manage the growing demand for data, and two, it offers end users augmented products, services and processes.
With third-party management tools, such as OneTrust, organisations can also monitor new, global developments, manage their privacy programme and better protect themselves against a data breach. Some of these tools allow for the tracking of the data transferred outside an organisation’s environment, and will also check the integrity of files and folders in networks, endpoint devices and applications, as well as on the cloud. Most will send out an alert notification on detecting an anomaly, which, in turn, give data officers time to minimise or avert any compromise.
With our business environments changing, and personal data becoming a real commodity, the GDPR presents an opportunity for Irish operations to stand out and broaden their appeal.
The upfront costs may be daunting, particularly for those in the SME bracket, but the benefits – in terms of both protections and bottom line profits – are real.
By Barry Cook, who is a Privacy and Group Data Protection Officer at VFS Global, a leading outsourcing and technology services specialist for governments and diplomatic missions worldwide.