GDPR: tick box exercise or catalyst for change?
David Warburton, Senior Systems Engineer, F5 Networks, on the implications of the EU General Data Protection Regulation on businesses
What makes your business tick? Changes to sales volumes, the latest gadgets, or the information customers exchange with you?
Well, brace yourself: the EU General Data Protection Regulation (GDPR) will help to enforce some big commercial reprioritisations. Canny organisations are already ahead of the game, reconfiguring structures and preconceptions to embrace what many see as a powerful initiative for raising digital standards and upholding citizens’ data rights. Those treating the process as a perfunctory box-tick exercise face a decidedly less assured future.
It is easy to become mired in perceived regulatory impediments, blindly chasing compliance without heeding the bigger picture. Today’s tech-conscious consumers only want to work with the most trustworthy data handlers, and the GDPR allows them to call the shots louder and with more influence than ever before.
The GDPR is about taking ownership and showing responsibility. It elevates personal data protection as a strategic priority for organisations working with EU residents. It requires businesses to be transparent, fair and lawful. It also mandates a culture in which data privacy and security form a central part of the customer relationship.
The race for credibility
Businesses can no longer shun data transparency and accountability responsibilities when processing customer data. At every hierarchical juncture, they must be assiduous and empathetic to the trust customers place in them, as well as their duty to mitigate against an increasingly complex cybersecurity threat landscape.
Training programmes should already be in full swing, ensuring data privacy nuances are grasped and staff understands their role in keeping both their personal and customer data safe. This should be supported by substantive policies concerning data handling and customer interaction.
Sustained credibility is difficult to achieve but can ultimately serve as a launch pad for better service innovation and profit.
Mind the step-change: the GDPR’s privacy and security requirements
The GDPR is an opportunity for organisations to do better. It is a powerful prompt to forensically assess all extant data governance, collection and processing legalities, security technologies and policies. Modifications and improvements in line with the GDPR are clearly a positive step to promote notions of privacy and security by design throughout the business. Responsible data conduct is surely set to become one of the most coveted badges of corporate honour in the coming years.
While the GDPR is an evolutionary journey requiring all manner of cultural change, the key ‘must-dos’ remain the same. Organisations need to investigate the automation of technical controls and ensure they have alerts in place for attempted breaches. Remember, a breach encompasses both unauthorised access and inappropriate access, modification or loss. Meanwhile, establishing a legally compliant data inventory and governance model will help achieve the right level of protection. Wherever possible, this should include the anonymisation, pseudonymization, and encryption of data.
From a privacy perspective, data protection impact assessments (DPIAs) can help identify, assess and mitigate or minimise privacy risks. These are particularly relevant when a new data processing system or technology is introduced. Interestingly, GDPR mandates the use of DPIAs by data controllers where there is a ‘high risk’ to a data subject. This includes the processing of sensitive data or anything systematically monitoring individuals that could result in legal or detrimental harm to the individual.