Getting to grips with GDPR

By Nicole Vreeman, Risk Advisory Manager, Deloitte and Annika Sponselee, Partner, Head of privacy team, Deloitte

Nicole Vreeman, Risk Advisory Manager, Deloitte

Friday 25 May 2018 is the date the new General Data Protection Regulation (GDPR) came into force, signalling that all organisations with business ties to the European Union and wider European Economic Area needed to be compliant. GDPR brings data protection and privacy into the 21st century, recognising in particular how data is increasingly captured through social media and other digital platforms as part of an increasingly digital society. It’s an important date not only for corporates, but also for the individuals whose data is held by those organisations.

Can it be ignored?

In a word, no. The introduction of the GDPR comes with the threat of hefty fines for non-compliance, with amounts potentially reaching 4 percent of global annual turnover of the previous fiscal year or €20m (whichever is higher). And it’s not just the financial penalties companies need to watch for, with the reputational fallout for those suspected of carelessness or wrongdoing quite possibly being even more damaging in the long term.

But compliance isn’t easy. The standards are tough to interpret and adhere to, and many organisations have struggled to understand not only what data they hold but also how they use it. Add this complexity and uncertainty to the threat of financial and reputational costs for non-compliance, and it’s easy to see why GDPR is a major headache for many organisations. Others, perceiving that full compliance may not be possible or is at least a massive administrative burden, consider the threat of sanction perhaps worth the risk. That’s not the right approach.

A rude awakening

While some organisations are confident they’ve done what they need to do, many others have been caught napping. For those still with a way to go, it’s worth bearing in mind there are no degrees of compliance; no concept of ‘minimal’ compliance: post 25 May 2018, organisations either do comply or they do not.

In a GDPR world, failure to look after customer data appropriately takes on new significance. Data breaches or misuse now come with the heightened possibility of a visit from the supervisory authorities interested in how the organisation has approached the management and use of data, and taken steps to minimise the risk of a breach.

But there is some good news.

Annika Sponselee, Partner, Head of privacy team, Deloitte

The authorities in some jurisdictions have indicated the initial focus of attention will be on explaining the law and helping organisations comply, rather than immediately handing out full penalties.

So it’s not too late–and there’s always a solution. For most, it will mean a significant transformation programme: revised data processing and marketing models, updated privacy policies, changes to technology, a strategy on privacy in the organisation, building GDPR into your governance model, and educating staff as to the rights and wrongs in a GDPR world.

The smartest organisations will be the ones that, once they’ve shored up their technology offering and mitigated the risks of data breach, start to redefine their strategic relationship with client and customer data

The GDPR as an opportunity

Technology is undoubtedly the key consideration, with the imperative for organisations being to reconcile the requirements of the GDPR with the reality of their technical capabilities when it comes to data management and security.

The smartest organisations will be the ones that, once they’ve shored up their technology offering and mitigated the risks of data breach, start to redefine their strategic relationship with client and customer data. The trick is to identify new business potential and new models for capitalising on and monetising your data assets, and becoming more data-driven and customer focused in the process.

As the data under management becomes more relevant and powerful, so the virtuous cycle of improving how that data is held and used gains greater leverage. Increasingly, younger consumers understand the value of their data and how it could or should be used – legitimately and ethically – for mutual advantage. Organisations can become more targeted and efficient in how they shape services, products and propositions, and consumers can receive those services, products and the offers around them with greater certainty of fit.

Those organisations that do that well will distinguish themselves from competitors who fail to evolve, and will gain a consequent advantage. But the important factor to recognise in a GDPR world is that the data subject has a say in how their data is used. Recognising this and working more closely with those whose data is managed is key to success in the future.

Meanwhile, those in a B2B environment will undoubtedly find GDPR-compliant products and services (eg: SaaS) in high demand; and conversely those whose products and services remain untouched will find themselves left behind.

What comes next?

Smart management is as vital in the new GDPR era as it was to the run-up to enforcement. Continuous improvement and taking responsibility for data-handling is going to be required for all organisations– particularly around the governance and management of data issues.

Compliance should be the minimum objective; maximising the opportunities arising from strategic data handling should allow more progressive organisations to reap the benefits of change, subject to the sensitivities of their particular data market and the risk appetite of those directing the organisation. It’s still far from the end of the story.