Why is the EU General Data Protection Regulation (GDPR) so important? What opportunities does it offer your organisation? And how can you overcome the challenges you’re currently facing? These are just some of the questions we put to Elliot Rose, PA digital trust and cyber security expert. Find out what you need to be doing right now to ensure compliance and exploit the opportunities the GDPR offers.
Full video transcript:
PA: Why is the EU General Data Protection Regulation so important?
Elliot: I’m asked that a lot. Obviously it’s important because of the big fines it carries with it. But it will also raise the data privacy awareness in a general population. Organisations need to be aware that people will be questioning how their personal data is handled. So going forward, organisations need to understand that and recognise that they need to manage and keep personal information secure.
They also need to understand that groups out there may use the EU GDPR to their advantage. For example, activists or particular campaign groups that have axe to grind against an organisation may decide to put subject access requests in, ask for their metadata to be removed or transferred, so it's really important to get that right.
PA: Why are you so passionate about this new regulation?
Elliot: I've been involved in data privacy for the last 22 years. I passionately believe that if I give my personal information over to an organisation they should treat it with respect. For far too long now organisations have got away with poor data privacy practices and the fines have been relatively low. The fines are now high, but some of the other things associated with it in terms of reputational damage are much greater. Therefore, I'm really pleased to see this regulation being taken seriously.
Organisations are now taking it right up the board level to say this is an important aspect for them to consider as a business – to really respect the right to those people who want to have trusted relationships. And really, it's good to see that it's now giving some teeth to the regulators to go after those people that abuse our privacy rights, regulations, and the personal information which we share with certain organizations.
PA: What opportunities does the EU GDPR bring to organisations?
Elliot: In terms of the EU GDPR it's all about having good relationships with your customers, your stakeholders and your employees. So it's really important to communicate why that relationship is important to you, assure people that you will keep their personal information safe, and explain how you can exploit it for the benefit of your customers, stakeholders and employees. I think that's a key opportunity for organisations, to look at the business opportunities around this regulation and not necessarily just see the compliance downsides of the EU GDPR.
PA: How are organisations embracing this regulation?
Elliot: In particular, there is a challenger bank I spoke to recently, and with their new entrance into the financial services market they're really embracing this regulation. They are creating a privacy type app that they can give to their customers. Almost like an iPhone in terms of slider bars where they’ll be able to switch off privacy by certain areas of information and how it will be used. They've really taken the level of consent down to a level of granularity, which really helps this challenger bank to offer new services and opportunities to its clients, but at the same time it puts it in the power of the customer. It's a really innovative way of doing it. They see it as a competitive advantage to get ahead of some of the traditional banks which are struggling to put the consent models in place.
PA: What are the big challenges that organisations are facing to comply with the EU GDPR?
Elliot: First and foremost it's actually trying to find out where the information is within the enterprise.. It can be widely spread across larger organisations, very difficult to find and in many different formats. But not only that. Organisations also need to think about where it sits in the supply chain because your suppliers along with yourselves are jointly liable in terms of personal information you hold in process. And so it's thinking about those current suppliers you have, how they hold that information, and importantly, all the legacy information. Often organisations will retain lots of information and don’t realise they have it.
Another area to think about is those organisations in regulated sectors who usually have a whole raft of regulations they have to adhere to around information. Some of it touches personal information with the EU GDPR. They have obligations to delete data if requested to do so, but of course you need to make sure you're not falling foul of regulations. So a lot of organisations we work with are challenged by trying to balance those regulatory requirements around that.
I think the final thing for me is around business processes and making sure that by the deletion of personal information you've not compromised the effectiveness of those business processes. For example, if you use information on profiles of people, history or backgrounds and if they're asking for information to be deleted, the question is does that impact on your business process and effectiveness going forward?
PA: What should organisations do right now to comply with the EU GDPR?
Elliot: The first thing I would say is - don't panic. Look at a risk-based approach, where the key areas where you hold personal sensitive information are, prioritize those, understand what consent you've had around those, and, if you need to, look at how you capture that consent.
The second thing I would suggest is to look at your third-party supplier contracts. A number of organisations are struggling with third-party providers, especially when they're overseas. Though they're jointly liable, the third-party supplier may not feel the regulation applies to them because they don't sit within the European Union, so organisations are really struggling with their commercial relationships and contractual relationships with their suppliers. So really look at quickly understanding exactly what those terms are and negotiate now, in terms of what you require to actually be done to changing those contracts because that can be a quite a lengthy process.
The third thing I would suggest is to communicate internally with your staff and your stakeholders within your organisation because they can be actually fundamental in making sure you don't get the EU GDPR breach. It's not all about technology. Also communicate to your customers, explain to them how you have taken GDPR seriously, what measures you're putting in place just to help them, and encourage them to actually want to share and give their approval to the use of their personal information.
The GDPR is a game-changer. Learn how PA is helping clients make the most of this opportunity.