Analyst Coverage: David Norfolk, Philip Howard, Fran Howarth and Daniel Howard
The EU’s General Data Protection Regulation (GDPR) will apply more-or-less uniformly across the EU from 25 May 2018. It requires an organisation storing or processing the “personal data” of EU citizens to put data privacy – Privacy by Design – at the heart of its data processing. Many observers think that GDPR will become a major cost of doing business in the future. Bloor thinks differently. We see it as an opportunity to add value for your company. It’s an opportunity to leverage “privacy by design” for building trust in the Mutable business.
Why is it important (hot)?
The GDPR means that organisations must significantly change the way in which they protect and process personal data. It gives the subjects (“owners”) of personal data important new rights, including judicial remedies if these rights are infringed and mandatory reporting of data breaches. Organisations must introduce “appropriate technical and organisational measures” to protect personal data – that is, “privacy by design”, with data privacy and security taken into consideration from the start. However, this can also bring bottom-line benefits from managing a “360 degree” view of sensitive data and encouraging data rationalisation.
Remember too that GDPR applies to the personal data of EU citizens outside of the EU. Ovum claims that 63% of US organisations think that GDPR will make them less competitive, while 70% believe that it favours European businesses. These US organisations are probably overlooking the fact that the EU also genuinely takes the privacy of its citizens seriously.
How does it work?
The full text of the GDPR is here. When reading an Article, don’t overlook the linked Recital, which the authorities will use to elucidate precise meanings. GDPR is based on 7 principles:
- Lawfulness, fairness and transparency – personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
- Purpose limitation – personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of personal data for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes shall not be considered incompatible with the original processing purposes. However, further conditions in relation to processing for such purposes must be met.
- Data minimisation – personal data must be adequate, relevant and limited to those which are necessary in relation to the purposes for which they are processed.
- Accuracy – personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
- Storage limitation – personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (with some exceptions).
- Integrity and confidentiality – personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
- Accountability – the controller shall be responsible for and be able to demonstrate compliance with these principles. Being able to demonstrate that you have policies and processes (supported by tools) in place is the key to compliance and avoiding penalties.
What constitutes personal data?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. See the GDPR FAQ.
GDPR took effect on the 26th May, 2018. It affects any company holding personal data of EU citizens or seeking to move such data in and out of the EU. The UK will introduce equivalent legislation to the GDPR (which will continue after Brexit). And the potential penalties and fines associated with GDPR are eye-watering: there is an upper limit of €20 million or 4% or annual global turnover – whichever is higher.
More important than this, is the reputation risk associated with GDPR – keeping data breaches to yourself will be illegal when GDPR comes in.
Remember, too, that GDPR applies outside Europe, even in the US. It is not “just a barrier to US companies doing business in the EU”, it represents a genuine cultural difference in the way the EU thinks of the privacy of its citizens. And, many other countries are introducing GDPR-like legislation.
“Just six per cent of UK businesses have prioritised GDPR, compared to 30 per cent
in France and 25 per cent in Benelux.”
“Less than two thirds (59 per cent) of UK businesses are aware of the implications GDPR will have on their organisation. Roughly three quarters (73 per cent) felt prepared to meet the obligations when it comes to documents and print management.”
“Among US multinationals, 68% expect to spend between $1 million and $10 million, with another 9% expected to spend more than $10 million.”
Firstly, it isn’t enough to have processes, policies or technology in place. The fundamental question the Regulator (or, indeed, an aggrieved data subject) will ask is whether your people understood the rules and were confident and competent in applying them.
Secondly, once you understand GDPR, you will need, e.g., data cataloguing, security and privacy tools; and process automation, governance and policy management tools; in order to put your understanding into practice. Building a “360 degree” view of customers, consent management (perhaps using MDM), sensitive data discovery, and appropriate data masking, will all be part of the solution.
These let organisations demonstrate that they are well-governed and effective, compared to their competition. More importantly, however, they allow the fostering of better trust relationships with their customers and employees (who both now “own”, in some real sense, their own personal data).
Business is built on trust and the modern Mutable business must base its business outcomes – profits – on leveraging its trust relationships.
What is the bottom line?
Seize GDPR as an opportunity to build “Privacy by Design” into your processes, thus de-risking mutable change as it affects personal data. Leverage this for increased customer trust, customer loyalty and market-share.