Q&A: Testing times lie ahead as GDPR looms

New global data protection regulations (GDPR) are fast approaching, meaning there is a huge amount for businesses to do to prepare themselves, or risk falling foul of some severe penalties.

We spoke to Peter Galdies, Development Director at DQM GRC, about the main issues that businesses are likely to come up against and what they need to do to prepare.

1. What do businesses need to do to prepare for the GDPR regulations?

The most important priority in preparing for the GDPR today is for all organisations to understand the Who, What, Why, Where and When of all the Personally Identifiable Information (PII) within their control…

  • Whose details do you have? It’s not just customers and prospects that you need to be aware of - what about staff, suppliers and any other data you have on individuals?
  • What specific details do you have? The obvious data in mind are the names and contact details of individuals – but what about their transactions and interactions such as digital data (IP addresses, website visits etc) and so on…
  • Why do you actually have this data? Why was it gathered, and is it excessive to that purpose – are you collecting any personal data that is simply not relevant or useful to your organisation?
  • Where is this data? Where was it gathered, where is it stored – and what’s the data journey in-between? What systems does the data sit on? How does it get there? Has it gone to third parties or suppliers?
  • When was the data gathered? And is the data still required for the purposes it was collected for? Is it still fit for purpose and should it still be retained?

Once organisations have clearly outlined and documented the above, and this information is then maintained through reliable business processes, a degree of compliance and risk can start to be understood.

2. What are the main issues that businesses are likely to come up against?

Firstly, it’s extremely unlikely that organisations will know the answers to the points above – achieving this in itself may prove to be a challenge. Understanding the legislation itself is also not straightforward. It’s likely that organisations will need help from business-savvy practitioners as well as legal advice on adopting the changes that will be required – and that’s after the current “grey areas” within the legislation have been clarified by the authorities.

Subsequently, there is now an essential need for organisations to prepare a breach notification plan in the event that something does actually go wrong. If you’re already clear on what type of personal data you manage (categorisation) and where it is (data flows), then this process will be somewhat easier. However, it’s worth being clear on who will co-ordinate the customer communication, the media response and the remedial activity - and make sure you rehearse this so you are practiced in the actual event; consider it a data breach fire drill.

Finally, getting the backing from senior management teams to re-engineer systems and business processes over the next two years may prove to be a task. The thought of being fined 4 per cent of global turnover may help with this, but the natural inertia in organisations will make this time disappear rapidly.

3. Is there a way for organisations to assess their level of compliance?

Detail is key here – you will need someone who fully understands the legislation and who can identify the areas of risk to address in your organisation. The GDPR RADAR from DQM GRC is a unique data protection assessment that will score an organisation’s current fitness against the new regulation, outline where it needs to improve and set a bespoke programme to get the organisation to where it needs to be.

4. How difficult is it going to be for the technology industry to rebuild consumer trust?

It is going to be challenging - organisations need to use their data both proactively and responsibly, and this balance will always be hard. There will always be breaches of trust, and organisations need to starting thinking “when” there will be a breach as opposed to “if”. However, the mitigation is to respond to these incidents quickly and comprehensively, whilst also improving processes and being transparent with the individuals who have been affected.

5. What do you think the future holds for data protection?

The redrafting of the EU ePrivacy directive is bound to mean even tighter controls over and above the GDPR on how organisations use data. The ways in which data is being created, gathered and utilised is changing quickly – think of the Internet of Things (IoT) and smart devices – and this brings more risk to the fundamental right to privacy that we all have.

The good news for organisations is that individuals are becoming aware that their data has value, and are perhaps becoming more open to a real value exchange.

This does mean that ultimately all organisations should respect the personal data they have in their possession and treat it like it is their very own – otherwise the new “privacy aware” consumer may decide to take it elsewhere.

Image source: Shutterstock/Artem Samokhvalov