The General Data Protection Regulation (GDPR) will come into effect on May 25th, 2018. This European privacy-regulation will improve consumer privacy by giving customers (‘data subjects’) more control over their data. This is done by giving data subjects the right to see what information companies have about them, how it is used, to whom it has been given for further processing and to offer the possibility to erase or change the information. The pressure coming from the need for implementation offers a unique chance for companies to implement a comprehensive privacy risk treatment.
There is ample reason to hurry up with GDPR implementation. Most professionals involved in data privacy will be familiar with the steep fines involved in the GDPR, potentially adding up to €20 million or 4% of global annual turnover for the preceding financial year, depending on which is greater. In addition, the UK Privacy Office’s Head of International Strategy & Intelligence Steve Wood said ‘there will be no GDPR grace period.’ In other words: May 2018 means May 2018. However, just being compliant means just that: being compliant. The growing importance of data and its ever-increasing use explains the need to be in control of all uses of data is becoming paramount for any digital company. Especially companies using extensive digital marketing should be aware of the ramifications, since just using customer data that’s ‘lying around’ is no longer acceptable.
Capgemini’s 2017 Information Security Benchmark asked CIOs to which extent they already comply with the GDPR. 50% of respondents were quite confident they would comply, an equal 50% stated they were not ready at all, or only to some extent.
So how should Data Protection Officers (DPOs) or CIOs counter the upcoming challenge? The same Benchmark study as mentioned above asked CIOs what they see as the most important measures in order to comply with the GDPR. The most mentioned were: setting up Privacy Impact Assessments (PIAs) in order to identify risks early, identifying the location of personal data, in order to set up protection, and reviewing current databases and other records. Especially the first point, setting up and revising PIAs, points the way forward to developing a comprehensive privacy risk strategy.
Most companies have an attitude that could best be described as: ’GDPR is coming - look busy.’ They implement assessments, develop templates and in general make sure they have an immense paper trail documenting their every step. This does not necessarily add up to a comprehensive strategy to counter privacy risk, however. Having a risk-based approach, based on an analysis of the most value-added processes and the most risks, coupled with a thorough look at managing the risk cycle, promotes lasting change in the organization, as well as minimal managerial effort at risk management in the long run.
A well-developed risk-assessment analysis is needed that aims at tackling the privacy risk broadly. This means that not only the identified threats to privacy should be in focus, but all personal data being used should be identified and accounted for. Most importantly, a comprehensive privacy risk strategy means that companies should start thinking about privacy before they start collecting data, not after it is there.