Why are companies finding the GDPR such a challenge?
The introduction of the GDPR requires a mind-set change for companies, and that is why it is proving such a challenging subject. The logic of the law is to redress the balance in power between companies and citizens. The law starts from the basis that current data protection laws have failed and companies have taken our data and openly used and abused it, often without any form of real consent.
The law is interesting because the extent of its success will depend on three factors. The first is the role played by the ICO and its equivalent across the EU. The speeches from the ICO suggest that they will take a lenient view of companies that make a real effort to actively promote privacy as a value for its customers, employees, contractors and other stakeholders. However, the threat of huge fines and increased regulatory power is beginning to make directors focus on data protection in a way they have not done to date.
The second factor will be how consumers react themselves. Already we are hearing that activist consumers are lining up their subject access requests and demands to have data erased. However, in the UK at least, the numbers waiting to use the new law to punish companies they dislike are likely to be small. What we may see over time, is consumers picking up on data erasure, portability and access rights as a powerful way to challenge companies who have their data and are mis-using it.
The third factor will be the companies themselves. We are already seeing genuine reform and interest from a wide range of large organisations. The GDPR is giving air-time to previously forgotten data protection and compliance people inside the business and this is starting to have an impact in terms of serious changes to approaches to mass email marketing and the like. However, this group of large companies are significant outliers. Our experience suggests that the vast majority of companies are doing little or nothing to respond to the new law and time is running out.
Our view is that companies can protect themselves from the regulatory threat by putting some serious effort into their GDPR preparations, raising awareness of privacy as a value and thinking about how this can be embedded across the organisation’s systems and activities. By undertaking these tasks and documenting each step carefully, companies will be well-placed to deal with any interactions with the regulator. However these actions will not increase protection in relation to the risk of a data breach. The preparations must therefore go hand-in-hand with serious thought about information security and physical data protection measures.
Good companies will recognise that in trying to make these changes inside their organisations, the soft issues will be as important as the ‘hard’ changes that are being made to consent opt-ins, privacy notices, cookie notices, contract clauses and the like. The soft issues require a training and communications programme to raise awareness of privacy as a value and what this means in concrete terms in protecting personal data in reality.
From what we have seen, good companies will be combining IT, commercial and legal skills in the project and will not be relying on a single data protection officer or individual to drive the changes needed. Obtaining board sponsorship and support is therefore crucial to success as this is a cross-functional project requiring a strong tone from the top.
The stark reality is that most companies will fail to be ready for the GDPR by May next year. However, good companies will already be well on the way to ensuring that they have made the practical changes to comply with the new law. They will be combining these practical steps with a strong change programme which will be raising awareness and driving a change in attitudes to data protection.
GoodCorporation’s Data Protection Framework can help companies ensure that they have the correct systems in place enabling them to demonstrate robust governance of their processes.
Posted December 2017