Eclipsed by the rising moons of Trump and Brexit, the EU General Data Protection Regulation (GDPR) is approaching fast.
And yet, with just 14 months until enforcement, very few businesses are prepared, let alone aware of what it entails, or its myriad implications. A Veritas study in December found less than half had set in motion any processes to make their businesses compliant.
“GDPR is all about good data governance, and those in the industry have being trying to preach this for years, but it seems to have fallen on deaf ears. Very few people have taken it seriously,” says Phil Beckett, managing director of Alvarez & Marsal.
He thinks that GDPR has often been dismissed as an issue for IT bods, when in fact it’s implications flow back to the c-suite.
The regulations are an attempt to harmonise the different, often conflicting, data standards across the EU’s member states. The more pedantic among us might speculate that Brexit would negate GDPR – we are leaving the EU, after all. But it is extraterritorial by nature, enforcing several rights for EU citizens, wherever in the world they are.
For many businesses, GDPR demands a total restructure of how they handle, process and think about data – and what constitutes best practice. It’s impossible to cover the minutiae of GDPR, but there are four concepts UK businesses need to get to grips with prior to implementation.
What makes GDPR so relevant by comparison to previous directives are the hefty fines for compliance failure. “If you’ve got this wrong,” says Beckett, “it’s up to four per cent of your global turnover. And that brings it right up to board level – as something people should really take seriously.”
He thinks the EU will be actively looking to make an immediate example of a high profile target: “It’s one thing to put the rules in place, you then have to enforce them to make people realise they are real,” he says.
A breach is any data leaving your business without authorisation – so a leak, hack, or even someone leaving a laptop in a cab. Think of Yahoo’s calamity. Between the breach and the time Yahoo reported it, five years went by. Under GDPR, businesses have just 72 hours to inform those affected, or they will face a fine. Not only that, says Beckett, but as with Yahoo, the reputational damage could be huge. “Do you want to be on TV explaining yourself?” he asks.
Understand your data
Businesses across the board mostly use data in one way or another, but do you know exactly what data you hold, where it is stored, who by – and importantly, what, if anything, you’re using it for? “Most companies don’t know,” says Beckett. “So doing a data mapping exercise; understanding what data you have, where it exists and what it is, is a good place to start.” Some data your business holds might be a decade old – ask yourself if you need it. “Some organisations will see it as an opportunity to clean house,” says Beckett. “It gives a clear path to defensible deletion.”
GDPR enshrines in law several rights for consumers, and the most pertinent to business regards consent of data. “They’re strengthening the conditions of consent,” says Beckett. “It has to be freely given, unambiguous, explicit, and individuals will have a real right to say no.” For every bit of personally identifiable information you hold – whether names, bank details or phone numbers – you will need explicit permission to hold or process it, including from your staff. “Where that becomes very interesting is in the employee/ employer relationship,” says Beckett. “Does an employee really have the power to say no?”
GDPR is closer than many think, and not by any means the IT issue many seem to consider it. “You’re going to have to have a board level representative who has an interest in this, because at some point, they might get that knock on the door, or that big fine.”