In our fast-paced digital world driven by Artificial Intelligence, virtual reality and the Internet of Things, one might be forgiven for thinking that the UK’s data protection act of 1998, conceived in the last century before Facebook and Google were even born, is inadequate.
Enter GDPR, the new UK and European law governing data protection, which is designed to bring UK and European data protection into the digital 21st century, and take account of the explosion of digital and technology services that surround our daily lives.
However, the implications of GDPR will extend considerably beyond just the UK and EU and will trigger the next wave of global digital transformation.
What is GDPR and why does it matter?
Many professionals, particularly those in legal, compliance and IT functions will be familiar with GDPR by now, but outside of these areas, a lot of uncertainty remains. The General Data Protection Regulation entered into force on 24 May 2016 after 4 years of deliberation and, following a two-year grace period, will apply from 25 May 2018. Extraterritorial in nature, it will affect any organisation providing goods and services of any kind to EU residents, regardless of whether or not the business is situated within the EU.
The new Regulations will give consumers and employees unprecedented rights over their personal data, giving people the opportunity to peer deep into the systems and processes of service providers and find out how they store, use and share their personal data.
For businesses that fall foul of the Regulations, the impact will be existential from both a commercial and reputational point of view: penalties for significant infringements will be 4 per cent of global revenue or 20 million Euros, whichever is larger.
As almost all personal data breaches will require notification to the Regulator within 72 hours, brand reputations will undergo unprecedented levels of public scrutiny.
Why GDPR will trigger the next wave of global digital transformation
There are a number of factors which indicate GDPR could be a catalyst for a much larger, global transformation.
Firstly, the extraterritorial nature of the Regulation means that any international business serving EU residents will have to comply. As the scope and nature of GDPR begins to filter its way into the mainstream media, it’s not surprising that coverage from commentators as far afield as Australia and Singapore on the local impact the new regulations are set to have.
The second driving factor is changing consumer expectations. With the advent of social media, public trends and concerns no longer take months to spread, they happen overnight, globally. GDPR now elevates many rights of individuals above those of businesses bringing about a shift in the balance of power between data subject (the individual) and data user (the organisation). As consumers learn to flex their new-found privacy muscles, it will be impossible to ring fence raised expectations of better protection and transparency simply within UK and EU boundaries.
The third factor is the global nature of trade in both goods and services, and the cross-border operations of many digital businesses. For those organisations where the EU comprises just one part of a global footprint, maintaining EU alongside non-EU variants would be highly challenging if not unworkable, and so it is likely that many will seek to make all activities GDPR-compliant across every market.
Don’t leave it to your IT director
Within an uncertain and fluid political, regulatory and social environment, not just in the UK and EU but beyond, and with the threat of existential risks, businesses cannot afford to leave such important decisions to the IT director, where data protection and privacy solutions are often housed. The answer lies not just in technology solutions but in driving through strategic organisational and cultural change within the organisation, therefore elevating the accountability right up to the CEO and Board.
And whilst cybersecurity technology and services might help reduce the risk of external, malicious threats, it will not help guard against human error and internal threats from disgruntled employees. As such an ongoing programme of activity to educate all employees in the new requirements will be essential. When it is fully implemented, GDPR will shine a light on areas of the business that were never meant to be made visible, so companies need to make sure that wherever customer or employee data is involved, it is recorded in a way that will be appropriate for external eyes, whilst also ensuring it is properly protected.
Alongside the strategic organisational transformation, companies will require tools that are built from the ground up to incorporate the principles of data protection and privacy by design. Solutions that are flexible and adaptable will be required, to allow businesses to evolve and adapt as this next wave of digital transformation arrives.
In today’s interconnected, digital-first world, it is impossible to imagine a drive towards better protection and transparency remaining only within EU boundaries. Businesses can expect to experience an inevitable cultural shift triggered by the new regulatory landscape and to see it become not just contagious but, ultimately, universal.
Simon Loopuit, CEO of trust-hub