There are two ways to think about the European General Data Protection Regulation (GDPR), set to go into effect in May 2018. Many view compliance as a cost factor, but the GDPR introduces a variety of new concepts in privacy protection that can turn compliance into a competitive advantage. To help you prepare, I have put together a four-step recipe for GDPR success consisting of a steering committee, data protection officer, data mapping, and risk analysis.
The first function is to establish a steering committee. Senior management needs to be a driver behind GDPR compliance. This comes out of a vision for how GDPR compliance can position the company to be most successful, not primarily as a way to avoid fines.
Elena Elkina, a data privacy expert at Aleada Consulting, argues that corporate executives are now approaching GDPR from the perspective of, “If we do not do this, we’ll lose business.” Within the EU, for example, the ability to compete for new government contracts or grants is now based, in part, on the ability of applicants to show full GDPR compliance. Business partners, when considering potential new relationships, are currently looking carefully at whether or not possible partners are GDPR-compliant.
Data protection officer
Second, name a data protection officer when one is required. GDPR requires public authorities and organizations to have a data protection officer when their core business involves large-scale processing or monitoring of individuals. The data protection officer must be a senior person in the organization who reports to executive management. Furthermore, they must have the freedom to operate independently from the rest of the company and be provided with adequate resources to perform their role.
The third function is data mapping. The process identifies where data resides, what type of data it is, how it is used, and how it is secured. Many companies lack clarity on how much data they are collecting, where they are storing it, and how they are using it.
By some accounts, the “data for the sake of data” mentality that has come to define the big data era has led to a situation where thirty to forty percent of all data collected by companies is either redundant, obsolete or trivial. Many companies can realize new operational efficiencies when they perform a GDPR data map. This may include removing data they no longer need to reduce risk and the cost of managing the data or finding new ways to utilize the information they have to gain new insights.
Risk and gap analysis
The process of risk and gap analysis can lead to new operational efficiencies. Begin the process by determining what you are already doing and how that can be augmented to meet the GDPR requirements effectively. This includes more than just computers and servers because private data could be stored or processed by a wide variety of devices. This includes IoT devices so companies should evaluate traditional computing devices as well as IoT for their privacy risk. Kemp also notes that legal opinions on GDPR should be factored in when considering the risk to the organization and its customers.
All these activities have the potential to lead to competitive advantage. Something very remarkable is happening in the way companies think about data privacy. Over the past few years, personal data privacy has transformed from a pure compliance or legal issue into an issue that now has the attention of the marketing team, the PR team and the product development team. In short, companies are now creating data privacy strategies the way they once created an Internet strategy or a mobile-first strategy.
Companies might be able to create higher quality services based on the idea of offering superior data privacy than their competitors. In short, customers would be willing to pay extra for the peace of mind of knowing that their data is safely stored, collected and used. Privacy, viewed from this perspective, becomes an essential business differentiator and a source of new product innovation.
Best of all, companies that are GDPR-compliant will have the trust of their partners, vendors, and customers. In an era where more data is being collected by more devices than ever before, it is finally time to think carefully about the way that companies use all that data. As a result, it is time to welcome the new GDPR, not fear its imminent arrival.