Data is the powerful driving force that underpins dominant industry giants such as Google, Facebook and Amazon. These tech giants use their data to expand into new markets, enhance their offerings and improve their overall customer experience. Data is the reason that these organisations are able to thrive and constantly innovate to rapidly develop new ideas. In fact, without data, they would not be the innovators we know today. Yet, how many of us actually feel comfortable with these organisations holding all of this data on us?
Thanks to GDPR, it will soon be possible for consumers to have much more control over their own personal data. From 25th May 2018, European Union citizens have the right to access their own information held by an organisation and, perhaps more crucially, the right to be ‘forgotten’ by having their data erased from their records.
There will be challenges ahead for organisations to enforce stringent data compliance and find more effective ways to manage their information. But businesses should also embrace the opportunity that GDPR presents.
Ultimately, the only certainty is the imminence of change. GDPR can act as a driver for organisations to future-proof their data processes and policies. As the business evolves with time, new processes, data and systems will of course be brought into play. Having long-standing policies in place will create a stronger foundation with clear guidelines for employees to adhere to. It will also provide agility and longevity to help organisations to adapt to new regulations in years to come.
Privacy by design
Long-standing policies are even more necessary when considering the ‘privacy by design’ approach. Under the new legislation, this refers to the technical and organisational measures that organisations must adopt when processing customer or employees’ personal data.
When implementing new processes, companies have to consider all the personal data they hold. This means that data protection should be engrained in any project from the very beginning. Having a data-first mindset helps organisations become more transparent in the way they handle customer information and transactional records. This, in turn, allows them to deliver a more customer-focused service and sustain trusting relationships with their customers.
Taking control of the huge volume of data scattered across an organisation and increasingly, in the cloud, can seem like a minefield. However, the financial and operational benefits of a solutions-based methodology will persuade any leadership team to get behind these GDPR initiatives.
Getting C-suite buy-in is a critical success factor. To develop a privacy-by-design approach, a cultural change is required. This should be led by the boardroom and should drill down to every employee, and even across the partner network – because data protection affects everyone.
A competitive advantage
Data protection is now considered a human right and this is why businesses need to get it right the first-time round. There are no second chances. To gain maximum benefit from the opportunity GDPR presents, companies can begin by doing three key things:
1. Put someone in charge
GDPR requires organisations of over 250 employees to appoint a Data Protection Officer (DPO). Your DPO can get a jump start on where your data is and what is happening with it. The DPO needs to be a jack-of-all-trades; an expert in data protection, an impeccable communicator and a leader when it comes to turning compliance issues into business opportunities. With a DPO appointed, businesses can feel assured that this person will be working to push the organisation in the right direction, embracing an opportunity for change and collaboration.
2. Remember to request consent
Under GDPR, anyone collecting data must offer customers and users the ability to actively decide whether they want their data used.
We live in an age in which a vast volume of our data has been and is under the control of big organisations, but this will no longer be the case. We already know that many people are uncomfortable with the thought of retailers or banks storing information relating to the smallest details of their lives. Meanwhile, others remain naive as to how much of their data is stored within different organisations. Consent is more important than ever before. According to a recent study, 56 per cent of UK residents would welcome the right to object to their data being used for marketing and profiling. After May 25th, organisations will no longer be able to use information without consent, or risk paying a penalty for doing so.
3. Ensure all data is protected
The security of customers’ data needs to be actively enforced and upgraded over the lifespan of the data; and the destinations of the data must be tracked. To do this, internally, organisations need to establish and maintain an internal framework for accountability from the start of processing to the deletion of all data. Implementing a thorough registration process ensures all documentation is up to date and all processing is logged, including what the data is being used for.
To ensure this data is 100 per cent protected, a privacy impact assessment for each new form of processing can help to mitigate any new risks to the data management practices.
By taking these three steps, organisations will see noticeable results. But, to rise to the challenge and be truly committed to GDPR, companies must prove that they can manage their data ethically and sensitively. This isn’t a box-ticking exercise. It’s good business practice.
By putting in the time, effort, and hard work now, it will become much easier to adapt to the needs of future legislation. GDPR is a great chance for businesses to lay the foundations for their building blocks of the future.
Matt Smith, CTO at Software AG
Image Credit: Wright Studio / Shutterstock