After four years of discussions, the European Parliament finally passed its vote for the new General Data Protection Regulation (GDPR) last month, leading us into a new age of data protection for European citizens, and the businesses they interact with. Over the next 24 months, businesses will have to get to grips with the regulations and ensure they are fully compliant by the time the new laws come into play in 2018.
The regulation sets to harmonise laws across Europe and make them applicable to both European and non-European companies offering online services in the EU. To date, organisations processing personal data of EU residents have had to deal with a patchwork of the 28 different national data protection laws.
Data for good
This new legislation, in short, will bring much needed clarity to the data market. Individuals need to be clearly informed around how their data will be used, and this is especially true in today’s threat landscape. Every week we are faced with yet another news story about a high profile company experiencing a data breach in which sensitive and valuable customer information has been leaked onto the internet. Ultimately this data ends up in an online marketplace, on the dark web, whereby it ends up in the hands of the criminal with the highest bid. Therefore, it’s no surprise we are now more concerned than ever about the state of our data. In fact, GBG research found that 86 per cent of consumers were worried about identity theft whereas 83 per cent feared that someone could obtain their data for profit.
However, whilst these concerns are justified, we shouldn’t just see our data as something risky. All too often, people forget the benefits of sharing data. For example, earlier this year the former Mayor of London heralded a dramatic increase in the number of London hospitals sharing data, as more than half of London’s emergency departments now share information with the police to help improve public safety, solve crimes and reduce violence across the capital.
In addition, when done properly, data-driven marketing means that you are not bombarding your customers with marketing on products or services that they have no interest in. By using the data accumulated by businesses effectively, marketers can create targeted campaigns which result in satisfied customers. Today, companies need to use the data available to them intelligently, to help protect individuals - not just from security threats but also from not having the desired customer experience they expect from a brand.
Responsible data protection
This protection of individuals in the EU is at the heart of the new legislation. In fact, European Parliament said they believe it will 'ensure that the fundamental rights to personal data protection is guaranteed for all'. Therefore, under the new legislation, a number of principles are outlined related to the processing of personal data, including that personal data has to be processed lawfully and in a transparent manner. It also has to be collected for specified, explicit and legitimate purposes. This point is interesting - especially when we considered that in the same GBG research, over half of businesses (59 per cent) surveyed in the report said they collect data which is not used or not useful to the organisation.
A requirement today which continues under the EU GDPR, personal data has to be accurate and kept up to date. Businesses must take every reasonable step to ensure that if the personal data of their customers is inaccurate, is erased or rectified without delay. Finally, it is the businesses that are responsible for ensuring they follow these principles and have to be able to show compliance.
Overcoming the challenges
Of course, complying with these new regulations will not be without its challenges. So how can companies overcome them to ensure they are ready for 2018? Here are my top tips:
1) Change your mindset
Typically compliance has been regarded as a tick box culture. Your organisation needs to establish new internal controls to ensure compliance as quickly as possible. It is important to be proactive, continually assessing how data is processed to ensure the fundamental rights and privacy of an individual is honoured.
2) Clean up your data
Take stock of all the customer data held within your businesses and then decide which data you should keep hold of or which you can get rid of. Of course, when it comes to disposing of customer data, it is crucial that is done in a safe manner. Organisations have a duty of care to ensure customers are not at risk of fraud or identity theft.
3) Be introspective within your organisation
The ICO has also published a 12-step checklist which is a great starting point for businesses needing a step by step guide.
Two years may seem like a long time, but it will pass us by faster than we know. My advice would be to not delay – read the steps outlined in the checklist and consider how they apply to your organisation. Compliance with the new regulations will not be something an individual can achieve on their own. Successful implementation and ongoing review will only come from company-wide awareness, with the relevant controls in place to trigger where a plan is required. As the saying goes, 'don’t put off until tomorrow what you can do today'. Businesses that take action now will find themselves in a much more advantageous position come 2018.
Kate Lewis, Head of Data Strategy, GBG