In May 2020, the General Data Protection Regulation (GDPR) will reach its two-year anniversary. The pan-European benchmark, which has helped standardise processes for consumers and operators, is rarely spoken of in a positive light – with attention invariably falling on the costs associated with compliance, or, more commonly, the legal action and fines levied against those guilty of breaking the rules, such as Facebook and Google.
Yet, there are real benefits to be had from the GDPR, both from a business and consumer point of view. For the former, the regulations have introduced requirements to map interactions, apply appropriate safeguards, and develop strategies for use or disposal. While, for the latter, it has provided the ability to access and monitor how one’s individual data is being used, as well as the right to request its deletion. Together, these powers have given the EU rulebook credence in the global community – to the point where the regulations are now being used as blueprints by major economies, such as US, and by other countries across Africa, Asia and the India sub-continent.
So, there’s much to credit, even if the journey towards compliance has proved troublesome for some. We shouldn’t pretend that compliance is an easy, or cost-free, passage for organisations. Indeed, it can be lengthy, particularly if an operation has razor-thin margins and a small staff base. Yet, there are a whole host of benefits to be yielded from compliance with, and continued work across, data management
Below are some “upside” facets of the GDPR, for enterprises large and small, which are seldom mentioned – such as bottom-line savings, mapping and expedited response times to data requests, and brand benefits. Together, they show that the journey to compliance should not simply be one of ‘box ticking’, but of opportunity.
Data protection legislation has always held as a core principle the fact that personal data should not be held for longer than is necessary for the purpose for which it was collected. The introduction of the GDPR didn’t change this. Rather, it refined the definition and provided new obligations around accountability – such as higher penalties for negligent behaviour, or breaches.
Although, ostensibly, a simple principle – deciding on appropriate data retention periods and then enacting them across multiple systems – bringing about such change to one’s business practice is not necessarily straightforward. Many companies, large and small, can become tied up in knots, or engage expensive consultants to audit or install complicated programmes across their operations.
But there is a simple fact, born by the GDPR, which every organisation should heed when looking at compliance. That is: holding less data is not only good from an adherence standpoint, it’s also cheaper. Deleting old, unused datasets mitigates risk, as well as the cost of storage and maintenance. By performing regular checks on the data your business holds, and looking at whether need it for your growth, you can reduce expenses on safeguarding and mapping procedures.
Mapping and establishing data strategies
Another benefit to emerge from the GDPR was the cut through of “spring cleaning” and “mapping” interactions. This has provided organisations with the change to better understand – for the first time, in many cases – what datasets they hold and where they fit in their company. This knowledge is incredibly useful and can held inform data strategies going forward – particularly as our economies become more and more automated.
The GDPR has therefore flagged the significance of data – which, pre-2018, may have sat in isolated silos with different gatekeepers. By raising awareness of its importance, it has allowed organisations to make decisions around data partnerships and growth, internally, without having to obtain data or insights at cost.
Compliance as a brand enhancement tool
The most prominent subject surrounding the GDPR is trust. Some of the world’s largest tech companies have been embroiled by disputes, now, for several years, and the new EU rulebook has amplified this subject and ensured its cut through to the public consciousness.
However, beyond the negativity and noise of privacy breaches and manipulations, there are some brand benefits available from the GDPR.
For one, the regulations present an opportunity for organisations to engage with users about how their data is used and to do so in a way that is compelling and different. Organisations that embrace this stand-out as brand leaders.
The Information Commissioner’s Office (ICO) encourages this sort of work, and even provides guidance on how to use privacy for brand enhancement in the form of Q&As and infographics on how personal data is used, and stored, by an organisation.
These points, above, show that there’s more to the GDPR than compliance for compliance sake.
So, this May, perhaps we should not just celebrate “surviving” another year of the regulations – but, also, look to the positive results they have yielded this past two years.
Barry Cook, Privacy and Group Data Protection Officer, VFS Global