By Martin on 14 Dec 2017
GDPR. The stack of acronyms we encounter on a daily basis increased back in 2016 as the European Union introduced legislation carrying weight far beyond just four letters. The GDPR (General Data Protection Regulation) comes into effect on 25 May 2018 and with it comes what many consider to be a headache for businesses. In truth, GDPR is about people and about privacy. We went along to GDPR Summit in Croke Park to find out how this impacts you personally as well as the business you work in.
What is GDPR?
Back in 1995, we were playing games on the first Sony PlayStation, starting our migration from VHS to DVD and Microsoft launched the revolutionary Windows 95. Take a quick note of how connected these innovations were (or were not). In the very same year, the European Union created the Data Protection Directive to regulate how personal data is processed in the EU. Believe it or not, despite the incredible increase in data that we all generate these days, this is still what regulates the processing of personal data within the EU; but not for long.
In 2016, the EU deemed the Data Protection Directive no longer suitable to protect people's privacy and personal data. which led to the creation of the General Data Protection Regulation. GDPR brings a significant increase in the obligations and responsibilities of organisations in how they collect, use and protect personal data. While brands and companies are generally focused on GDPR as a business requirement and ultimately a new source of risk, there’s considerable opportunity afoot.
The Change from Directive to Regulation
Before I look at the opportunity, there's some technical jargon you need to know so bear with me. Should you be found to have breached GDPR after the May deadline, there are some serious implications. Here’s the no-nonsense potential outcomes of what could happen:
- Warning
- Reprimand
- Suspension of data processing
- Fine
- €20 million or
- 4% of global annual turnover
To date, the big focus has been on the fines, fines which could cost companies a fortune. While the fines are pretty hefty, the suspension of data processing could be a much bigger problem depending on your business. KPMG’s Mark Thompson highlighted that a suspension of processing being issued to a bank could technically make a bank insolvent within a matter of hours. Understanding the risks which are specific to your business was a key theme to the overall GDPR Summit.
But while the fines are huge and the possible outcomes rather terrifying, GDPR isn’t about shutting down businesses or standing in the way of growth. GDPR is about people, privacy and personal data. Accidental alliteration aside, it's also about potential.
Welcome to the Trust Era
For businesses and brands, it’s easy to fall into that trap of viewing GDPR as a business requirement and a risk which needs to be addressed. The fruits of GDPR become visible when you realise this new regulation is about people and privacy.
In recent years, there have been some infamous incidents where companies didn’t handle people’s data with care. One of the most recent examples of this is the Equifax debacle, where a massive consumer credit reporting agency experienced a data breach impacting over 140 million US customers. During the fallout, Equifax created a website to help their customers which lacked security and terms of use which many believe were created to protect the company.
This is just one example to demonstrate why consumer trust in online is at an all-time low and this is the key reason the EU has decided to act; consumer trust. Only 15% of people believe they have complete control over the information they provide online. KPMG’s Mark Thompson, speaking at GDPR Summit, stated their research shows 55% of people decided against making an online purchase due to privacy concerns.
GDPR is a direct response by the EU to rebuild consumer trust in online platforms through regulating how data controllers and data processors handle private data. GDPR is ushering in the Trust Era, an era where people know how their data is being used and an era the EU expect to yield economic benefits to the tune of €2.3 billion.
Preparing for the May Deadline
With the benefits now on the table, hopefully, your appetite for dealing with GDPR has been whet a little. One key message to emerge from GDPR Summit which was hammered home by IBM Watson’s Privacy Officer, Stewart Thompson, was to do something. Rather than freezing in the headlights of GDPR, like 61% of Irish SMEs right now, it’s time to kick into action and get moving.
John Keyes, Assistant Commissioner and Head of Investigations for the Office of the Data Protection Commissioner, stated that the DPC will likely spend the time immediately after the May deadline dealing with data protection complaints rather than proactively seeking our offenders themselves. The first thing they’ll be looking for in the event of your company being involved in a complaint is evidence of what was done to make your company GDPR ready. Starting now, preparing for GDPR and tracking your activities could put you in good stead should something occur after the May deadline.
GDPR Risk Assessment
During a panel discussion, the idea of a risk assessment approach to your company’s GDPR preparation became a key topic of discussion. Rather than looking at every single aspect of the far-reaching GDPR, a full assessment of risks, followed by prioritisation is considered to be a good approach, especially as the deadline is now within reaching distance.
One great starting point for your GDPR plan is a free online service provided by the International Association of Privacy Professionals (IAPP) and OneTrust which helps you assess your company's GDPR readiness. Beyond that, GDPR Summit provided some other great tips on preparing for the May deadline.
Is Consent Dead?
GDPR doesn’t end in May and few that took to the stage believe companies will have everything in place come the legislation deadline. This prompted many speakers to ask if consent really is the silver bullet to GDPR. PageFair’s Johnny Ryan introduced the PageFair GDPR scale which showed the likelihood of getting consumer consent for most processing is incredibly low.
According to An Post’s Linda Ní Chualladh, the more you rely on consent to remain compliant, the weaker your position is. So what are the remaining options?
Essentially, the critical section of GDPR for this is Article 6: Lawfulness of Processing. This outlines six scenarios in which companies can process personal data.
Treating Personal Data With the Respect It Deserves
Gerard Barry landed the quote of the day for me when he said it’s time we all “give personal data the respect it deserves”. Within the GDPR there is room for interpretation and unfortunately misinterpretation, leaving many confused as to what’s acceptable and what’s not. On several occasions throughout the day, speakers offered the opinion that if in doubt, stop and ask yourself would you mind a company using your data the way your company wants to use the personal data of others.
What Does Being GDPR Compliant Look Like?
So come the May deadline, is it really possible to be GDPR compliant? Linda from An Post highlighted that GDPR is a highly emotive topic because people will react emotionally to how their privacy is handled, understandably so. We cannot forget that we are dealing with people’s personal data and that personal data is their property and as such mishandling, it will spark an emotional response. She suggests a completely transparent approach to what you’ll do with data:
- Say what you do
- Do what you say
- Mean what you say
Customer sentiments will play a massive role in the success of your GDPR strategy; this is the Trust Era after all.
The Wolfgang Essential Takeaway
There’s a lot to digest here, but here are the key points I took away from GDPR Summit.
GDPR is unavoidable, but why would you want to avoid what has the potential to be a massive business opportunity. Building trust through transparency and leading the charge on GDPR could pay massive dividends for your business.
Do something. Get started on your GDPR strategy and document what you do.
There was one more thing I took away from GDPR Summit. Disclaimers. Everyone had one! So, please don't take this article to be legal advice. Always get your own legal advice that's specifically tailored to your own business. GDPR is serious business so take it seriously.