GDPR is The Law, But Can it Also Add Value to Your Business?

Nearly all industry commentary on GDPR highlights the potential for breach-related fines, and while they certainly shouldn’t be ignored, the simple fact is that in May of this year the regulation will become bona fide, enforceable law in EU courts. With less than 100 days left to prepare, any business handling  EU citizen data needs to ensure that they are taking the necessary steps with their policies and IT operations practices to be compliant when the regulation comes into full force. However, many companies are still lagging in their preparations and or are in denial about the EU’s General Data Protection Regulation’s importance and potential impact on their business.

In most other business areas, the legal teams and leadership would be taking steps to ensure they are following the law in relevant operating regions, but something about GDPR and its sister bill in the UK, the UK Data Protection Bill, has many businesses dragging their feet.

In a recent Computer Weekly piece by Warwick Ashford, Kolvin Stone, partner and global co-chair of the cyber security and data privacy practice at global law firm Orrick expressed his theories:

“The awareness around GDPR is generally good, but the level of readiness is all over the map,” he said. “The key factors that are affecting an organization’s ability to prepare mainly relate to a lack of senior buy-in, strong leadership, planning and resources.”

Ashford’s article also cites a recent survey published by DMA and Axicom, Data privacy: What the consumer really thinks, which highlights how consumers’ preferences for how businesses handle their personal data is not far off from what GDPR prescribes as best practice, most notably that consumers care about having control over their data and desire transparency with how it’s used.

The ability to withdraw consent and extend control to how their data is handled is a cornerstone of GDPR. And as such, a company that is GDPR-ready is more than capable of offering the assurance of control and transparency to customers.

If an organization has completed the data protection impact assessment required by GDPR’s article 35, an IT team can ensure they can provide customers with a detailed explanation of how their data will be used. Additionally, if a customer asks that their data be deleted or requests a copy of it, something data subjects have a right to do under GDPR, the IT team will have a clear idea of where the data resides within their environment.

The survey also revealed there is little support for cross-business sharing of consumer data, something that is increasingly common as organizations chose to migrate sensitive systems to the cloud. Not only does this give cloud service providers cleartext access to customers’ data, but since most cloud providers are headquartered in the US, it puts the data at risk of being subpoenaed by the United States Government. This is problematic due to the fact the US has proven its willingness time and time again serve data requests directly to technology providers instead of to the data subjects themselves. Following GDPR’s guidelines for encryption and pseudonymization can help companies reduce the risk of using cloud services under GDPR.

Orrik’s Stone went on to mention, “These next few months are critical and are likely to be a mad rush for a number of organizations, said Stone. “But, amidst the chaos, it is important to note that GDPR, while a legal requirement, should help to increase clarity, respect and trust around personal information for customers, employees and shareholders.”

Get in touch today to discuss how we can help you prepare for the May deadline.

 

 

 

 

 

Tags: