GDPR is coming.
At the end of this month, the European Commission will begin its PR and marketing campaign intending to remind 500 M citizens of their right to seek information from anyone processing their personal data.
Officially called a Subject Access Request, it’s the ‘litmus test’ used by the Information Commissioner’s Office (ICO) to determine whether a company and organisation has a culture of compliance and is living up to its duties and responsibilities when it comes to processing personal data.
On the 25 May 2018, the General Data Protection Regulation (GDPR) is fully enforceable across all 28 Member States and represents the biggest shake-up in data protection, privacy and security in over two decades.
A key driver for these higher standards is the need for greater transparency and accountability in the way an individual’s personal data is processed so as to increase trust and confidence among customers, clients, supporters, partners and employees.
Given that personal data is the lifeblood any company and organisation, it’s surprising that very few have taken steps to prepare sufficiently for these changes despite the two-year transition period that began in 2016.
Instead, research tends to suggest a widespread level of complacency among senior managers coupled with a lack of understanding of the consequences getting this badly wrong.
GDPR as an opportunity to deepen digital trust
Many have made the mistake of seeing the GDPR an administrative burden rather than as a re-boot in our thinking on data protection and an opportunity to deepen digital trust in order to do more – not less – with personal data.
The GDPR places a legal obligation – as does the Data Protection Bill 2018 currently at its third reading in Parliament and due to receive Royal Assent in April 2018 – to process and protect personal data in a transparent, accountable and secure way.
Failure to make the necessary adjustments now in the way companies and organisations process personal data will be an aggravating factor in the wake of any personal data breach (now a mandatory reporting requirement) after 25 May 2018.
Sanctions and penalties for commercial organisations are significant. Fines of up to £17.5m or 4% of global turnover, whichever is the greater, can be imposed.
One of the key differences, irrespective of the legal basis of processing personal data, including doing so under contract, is that every company must now provide a Data Privacy Notice to all its customers when processing their personal data.
Where the company is relying on the legal basis of consent with a consumer in order to process their personal data, this must be either unambiguous and in some cases explicit. The practice of opting-out that has often been favoured by marketers is now well and truly buried.
GDPR and risk to business continuity
Failure to process personal data in accordance with the GDPR will obliterate the capacity for many companies to do their business and represents a significant risk to business continuity.
‘This Data Privacy Notice must comply with the requirements of the GDPR and is an absolute right in law. Failure to process personal and special categories of personal data in absence of a Data Privacy Notice will result in sanctions, fines and damage to trust and reputation of all companies.’ So says Ardi Kolah, Director of the GDPR Transition Programme at Henley Business School.
Ardi encourages us to ’join the dots’ between business continuity, risk and technology in order to achieve the outcomes expected by the ICO and industry regulators, and not see the GDPR as a regulatory or compliance issue but from the perspective of building a robust reputation for the digital age.
Those companies that can seize the opportunity for building deeper digital trust will reap the rewards, often at the expense of those who have failed to make the necessary organisational and technical changes expected of them.