The impact of GDPR on international corporate groups

null

With any new regulation comes challenges and the General Data Protection Regulation (GDPR) is no exception. While the past two years may have been a challenging time for companies preparing for the change, the regulation has also provided a number of opportunities for businesses.

What is GDPR?

Following on from the existing Data Protection Act, GDPR gives consumers more say in how their data is used by companies. This is to ensure consistency in data protection rules throughout the European Union (EU).

Since the European Union parliament approved GDPR in April 2016, multinationals have spent over two years analysing its potential impact on all aspects of their businesses and planning the necessary steps to become fully compliant.

GDPR came into force in May 2018 and applies to all business operations in the EU. Not complying with these new regulations could result in a serious penalty. In the case of a personal breach, the person affected must report the breach within 72 hours. For non-compliance, companies risk being fined up to €20 million or 4 per cent of its global annual turnover – whichever is greater.

In the past companies have been able to use pre-ticked boxes for customers to opt out of communications, but this is no longer allowed. Companies must now use a double opt-in process, meaning customers must choose to receive marketing communications and confirm by email.

It has also been important for companies to think about websites, as cookie policies have also been affected by GDPR. The regulations mean cookie consent will now also need to comply with GDPR. The GDPR and the EU ePrivacy Directive requires prior, informed consent of a site’s users, and GDPR requires companies to individually document each consent.

From a technical perspective, these are the three main changes all multinationals should have done to ensure compliance:

  • Improve the management and security of data, including regular reviews. (This includes respecting an individual’s "right to be forgotten")
  • Limit unnecessary data transfers and ensure any data sent is encrypted
  • Inform relevant people and organisations immediately in the event of a data breach

The data protection challenge

The European Union parliament approved GDPR in April 2016 and since then, many multinationals have spent a huge amount of time analysing its potential impact on all aspects of their business and planning the necessary steps to ensure they are fully compliant.

Every large business holds data that could be considered by the National Commission for Information Technology and Civil Liberties (CNIL) as sensitive – whether that is HR data, client and supplier contact information or logistics documents. In terms of what personal data covers, it includes a huge range of information such as bank details, IP addresses, medical information and photos, as well as social media names and posts.

With the new regulation now in place, all data that has been processed by a company, including the purpose of the data, must all be kept on record. Much more detailed descriptions of the purpose of data collection must now be stored so it can be given to the participants.

Its effect on multinationals

By improving data protection for individuals, the EU has forced multinationals to think critically about the design and security of their Enterprise Resource Planning (ERP) systems and localised intranet, and more importantly, the transmission of data across borders. The regulation has also meant that ensuring privacy of customers information is a key priority for any business operating in the EU.

Whilst the challenge of respecting data privacy is focused on business in the EU, it is not just a European issue but a global one. For some multinationals, the European market is not the only priority – with some choosing to focus their attention on the US, Asia, or emerging markets. However, that does not mean it will not affect them. By imposing an in-depth self-examination into the way businesses operate, GDPR has presented an opportunity to make Europe a focus; creating a beacon for improved relationships between some of the world’s biggest organisations and the wider population.

The way of the Japanese

One of the most difficult changes to implement is not necessarily a technical one. Corporate culture goes a long way to determining the manner in which international businesses operate – especially in terms of data protection. Clarion, a subsidiary of the global Hitachi brand, has a distinctly Japanese culture focussed on awareness and preparation.

The dissemination of awareness material throughout all regions was supported by rigorous internal policy reviews and the adoption of new confidentiality practices, to avoid any type of risk. With senior leaders placing awareness and learning at the heart of these changes, the company was able to transform from the top down, supporting its subsidiaries and services through every step of the process.

What is next?

GDPR has had already had a significant impact on multinational organisations and their marketing activities. Some companies who may have initially viewed the regulations as a hinderance to the way they can communicate with their audience, will have now realised that it was in fact put in place to modernise laws that protect the personal information of individuals and make the process of data collection easier for customers and businesses.

By imposing an in-depth self-examination into the way businesses operate, GDPR has presented an opportunity to make Europe a focus; creating a beacon for improved relationships between some of the world’s biggest organisations and the wider population.

In terms of other positive outcomes, the new regulation has forced international companies to think about things they had not considered in the past, such as how they can reduce the amount of data that is being transferred, or how they can secure data in case of a cyber-attack.

What if companies do not comply? Whilst the threat of financial penalties has been enough for some, there are many international corporations who view GDPR as a real opportunity. It has given them the push they needed to clean up their databases, improve the quality of customer relationships and re-evaluate the transparency of the data they hold.

Hervé Buttignol, information systems officer, Clarion Europe
Image source: Shutterstock/Wright Studio