Data is rapidly becoming the lifeblood of the global economy. In the world of Big Data and artificial intelligence, data represents a new type of economic asset that can offer companies a decisive competitive advantage, as well as damage the reputation and bottom-line of those that remain unsuccessful at ensuring the security and confidentiality of critical corporate and customer data.
Despite the severe repercussions of compromised data security, until recently, the fines for breach of data protection regulations were limited and enforcement actions infrequent. However, the introduction of a potentially revolutionary European General Data Protection Regulation (GDPR) is likely to transform the way data-driven companies handle customer data by exposing them to the risk of hefty fines and severe penalties in the event of incompliance and data breach.
In this article, I have tried to summarise the implications of GDPR implementation for data-driven companies, as well as the measures businesses can take to ensure the security and privacy of client’s data and avoid the penalties associated with non-compliance.
How Does GDPR Impact Data-Driven Organisations?
The General Data Protection Regulation (GDPR) stands out from all existing regulations because of its breadth of client data protection. From conditions on cross-border data transfer to the need to implement, review, and update adequate technical and organisational measures to protect customer data, the GDPR introduces several new legislative requirements that will significantly impact the way businesses collect, manage, protect, and share both structured and unstructured data. I have described a few of the most important ones below.
- Valid and Verifiable Consents — It can be argued that the GDPR is all about consent, it protects European citizens by giving them the means to object or give permission to process their personal data. The GDPR sets out stringent new requirements for obtaining a consent for the processing of personal data from customers. According to the new legislation, companies should make the process of withdrawing a consent as easy as providing a consent. Furthermore, the consent should be explicit and well informed with full transparency on the intended purpose and use.
- Data Protection by Design and Default — Up until now, businesses were required to take technical and organisational measures to protect personal data. But implementation of the GDPR will require companies to demonstrate that the data protection measures are continuously reviewed and updated.
- Data Protection Impact Assessment (DPIA) — DPIAs are used by organisations to identify, understand, and mitigate any risks that might arise when developing new solutions or undertaking new activities that involve the processing of customer data, such as data analytics and all data-driven applications, including BI, data warehouses, data lakes, and marketing applications. GDPR makes it a mandatory requirement for all organisations to conduct a DPIA and consult with a Data Protection supervisory authority if the assessment shows an inherent risk.
What are the Possible Consequences of Non-Compliance?
The GDPR subjects data controllers and processors that fail to comply with its requirements to severe consequences. These consequences, contrary to what most people believe, are not just limited to monetary penalties. Instead, they can potentially damage a business’s reputation and bottom-line. There are three factors that together make the GDPR the most stringent regulation in the European data protection regime.
- Reputational Risk — The reputational risks of any data breach is always severe. However, implementation of the GDPR with obligation to notify authorities in case of data breaches is likely to result in increased enforcement activity. This will consequently bring data protection breaches to light, compromising a company’s market position and reputation.
- Geographic Risk — All organisations offering goods or services to EU markets or monitoring the behaviour of EU citizens are subject to the GDPR. This includes all data analytics companies as well.
- Huge Fines — Failure to comply with the new regulations will lead to significant fines of up to 20 million EUR or 4 percent of the company’s global turnover, whichever is higher.
To avoid the huge fines and severe penalties, businesses need to have complete and mature data governance in place. From revising the existing contracts in place to getting a buy in from the key people in organisations, businesses will be required to review their entire data process management approach in order to become compliant and mitigate reputational and financial risks.
5 Questions to Address and Mitigate the Risk of Non-Compliance
1. How can I minimise risks and protect my business’s reputation?
Taking the following measures can help you ensure your compliance to the new data protection legislation.
Define Personal Client Data — Document what types of personal data your company processes, where it came from, and who you share it with to improve documentation. For example, if you have inaccurate personal data and you have shared with it another organisation, you won’t be able to identify the inaccuracy and report it to your business partner unless you know what personal data you hold. Therefore, begin with a thorough review of your existing database.
Manage Data Streams and Processes — Develop a roadmap to determine your sources for data input, data processing tools, techniques, and methodologies that you use, and how the data you hold is shared with other businesses. Once you have listed all the inputs and outputs, evaluate their compliance to the new regulations, and take adequate measures to ensure good data governance.
Designate a Data Protection Officer — Designate a Data Protection Officer who has the knowledge, support, and authority to assess and mitigate non-compliance risks.
Ensure Swift Response to Withdrawal Requests — Respond to the customers’ requests of consent withdrawal in an efficient manner and update the system to flag that the user has withdrawn consent to prevent further direct marketing.
2. How can my business protect personal data?
The new data protection regulations apply to data that allow direct or indirect identification of an individual by anyone. As a result, cookie IDs, online identifiers, device identifiers, and IP addresses are categorised as personal data under the GDPR. To ensure the security and confidentially of the new defined categories of personal data, businesses can use the following measures:
Adopt a Protection by Design Approach — There are certain ‘protection by design’ techniques that businesses can use to protect the personal data of their customers. These include:
- Pseudonymisation — Pseudonymisation (such as encryption, tokenisation, hashing) is a technique that involves categorisation of the personal data of customers into two types in such a manner that one type can no longer be attributed to an individual unless accompanied by the second type of information which is kept separately and is subject to various data protection measures.
- Data Minimisation — As the name implies, data minimisation is about ensuring that only the data that’s necessary for a specific purpose is processed, used, or stored.
3. How can my company implement technical infrastructure that will ensure optimal governance of client data?
GDPR not only requires businesses to implement a well-built and foolproof infrastructure to collect, store, and process data, but also directs them to continuously review and update the infrastructure. Here are a few ways businesses can ensure their compliance to these new legislations.
Align Data & Analytics Strategy with Policies — Businesses should focus on developing a data and analytics infrastructure that’s CONTROLLED, PORTABLE, and COMPLIANT. To ensure this, data collection should be purpose driven, i.e. only data that is required to fulfill a specific requirement or purpose should be collected and processed. Data collection should be compliant. Customers should be provided with a right to object to data collection and processing for direct marketing processed. Data collected with the consent of clients should be kept in self-controlled storage and processed according to all applicable data protection regulations.
Manage Data Lineage — Certain data governance solutions organised by leading tech companies can help businesses streamline their data handling processes and exercise greater control and get improved visibility throughout data lifecycle. They help businesses adopt a standardised approach to discovering their IT assets and define a common business language to ensure optimal policy and metadata management, create a searchable catalogue of information assets, and develop a point of access and control for data stewardship tasks.
4. How can my business uphold these new regulations and define client data collection and storage?
To enhance the compliance of their client data collection and storage processes, businesses should seek assurance from a data protection officer who can inform and advice the business about its obligations pursuant to the regulation, monitor the implementation and application of adequate data protection policies, and ensure optimal training of staff involved in data collection and processing operations. In addition to this, designating a data protection officer can also help businesses monitor their incoming data streams and how they should be treated.
5. How can my business handle different types of data streams?
To ensure their compliance to the GDPR and avoid the severe consequences of non-compliance, businesses are not only required to ensure optimal control and privacy of static batch data, but also develop means to collect, categorise, and process data provided by high-speed data streams. Data stream management software is a viable solution to this challenge. A data stream manager allows businesses to:
- Collect and distribute data in a private and compliant way
- Reduce costs and complexity in data life cycle management
- Have real-time access to all structured and unstructured data via the cloud or on premise
- Centralise all data sources for improved visibility and control
- Develop a controlled environment for data-driven operations
With a data stream manager, Data Protection Officers can define privacy levels, manage user rights, get an insight into how their info is being collected or used, and more.
Manage Data Streams by Data Protection Officers Source:www.datastreams.io
Many of the GDPR’s principles are much the same as the current data protection regulations. Therefore, if your business is operating in compliance to the current law, you can use your current approach to data protection as a starting point to build a new, more robust and secure GDPR-compliant data protection infrastructure.
To learn more about GDPR compliance, subscribe to the educational webinar, hosted by BrightTalk and presented by Ronald van Loon.
Janus de Visser
Janus is Data Privacy Officer and Data Governance Consultant at Adversitement. Feel free to connect with Janus on LinkedIn to learn more about GDPR, Data Govenance, Risk & Reputation.
Ronald van Loon