How to turn GDPR into a competitive advantage with ‘privacy by design’


4 per cent of businesses don’t think an organisation’s privacy track record is a top three consideration for customers when choosing who to do business with. (Source: Getty)

Much of the discussion around the General Data Protection Regulation (GDPR) has, with good reason, focused on the negatives.

The complexity, the potential reputational damage, the financial penalties, and the degree to which firms are simply not ready.

Yet data is now one of a business’s most valuable assets – so protecting it is much more than a legislative exercise, it’s the foundation of the relationship between a modern brand and its customer. As such GDPR offers a major opportunity for your business to take a totally new and improved approach to how it manages data throughout its lifecycle. In doing so, you can go beyond GDPR compliance, and create a competitive edge, because privacy and security are so important for consumer trust, being able to guarantee them becomes a brand differentiator.

Read more: The GDPR Doomsday Clock strikes a minute closer to midnight

Data privacy disconnect

If this seems surprising to you, you’re not alone. We’ve found 74 per cent of businesses don’t think an organisation’s privacy track record is a top three consideration for customers when choosing who to do business with. However, some 88 per cent of European consumers see data security as the most important factor when choosing where to spend their money.

It’s also worth bearing in mind that if IT and business leaders are to drive the urgent organisational change they need to comply with the GDPR, a more positive, encouraging approach that focuses on and explains the potential benefits is essential.

The obvious question then is how best to seize this competitive opportunity, and turn security and compliance into competitive advantage?

Read more: A lack of guidance over the EU's GDPR could cripple British businesses

Embrace privacy by design

One of the most effective ways to achieve this is embracing “privacy by design”, which means making compliance and security a core element of your organisational structure and staff culture.

Embracing privacy by design also necessitates making a commitment to end-to-end security – from the creation and storage of data, to the moment it becomes obsolete. End-to-end security can be broken down into four key stages:

The first is Prepare. This means assessing all the personal data your company is storing, its location, who can access it, and any other aspects of your risk posture or infrastructure vulnerabilities.

Second is Protect, which involves developing and implementing safeguards throughout your infrastructure to help contain the impact of an attack.

Detect is the third stage, for which firms will require security monitoring services and a modern threat protection solutions. On average, it takes 229 days for a company to detect an attack, by which time the data leakage has, most likely, already occurred. However, choosing the right security partner should significantly reduce time to detection and provide a clear understanding of the impact of such incidents too.

The final stage is Respond, which focuses on remediation. In addition to the significant technical proficiency needed here, the guiding principle of transparency with all stakeholders should be followed. This is in line with the GDPR mandatory breach notification, which specifically states organisations need to self-report the loss of personal data within 72 hours.

Read more: Few businesses are ready for the biggest ever overhaul of data regulation

Temper realism with determination

Data protection makes up only one stage of a robust approach to privacy by design. Therefore, if companies are to turn GDPR into an opportunity, rather than a threat, it must be approached holistically, with the goal of transforming how the organisation manages data in its entirety.

This is no small challenge. It’s important to be realistic about the challenges ahead, yet this realism must be tempered with determination. As Thomas Edison once said, “opportunity is missed by most people because it is dressed in overalls and looks like work.” Which is precisely the case with GDPR. Yes, we are going to have to call on all our technical expertise and people skills to get the job done in time. Yet in doing so, businesses stand to significantly strengthen the relationship they have with their customers, and the trust customers’ have in their brand.

Kevin Isaac is senior vice president for Europe, the Middle East, and Africa at Symantec.