Part 4 in the “Postmodern CIO” series
The deadline for enforcement of the European Union’s General Data Protection Regulation (GDPR) is only months away, with the agreement coming into effect on May 25, 2018. By now, the severe financial penalties for noncompliance have been well-publicized. Fines for breaching the most important provisions can be as high as four percent of a company’s annual global revenue or €20 million, whichever is greater.
Rather than a punitive measure, however, you could instead see the GDPR as a wider opportunity to transform the way that you handle data and manage risk and compliance. As the most compelling data-protection event this decade, the GDPR should serve as a catalyst that will put your organization in better shape to compete in the digital economy.
Defining data privacy for the digital age
According to the European Commission, “everyone has the right to the protection of personal data.” Within the EU, personal data can be collected only for legitimate purposes and must be protected from misuse. Equally, it may be used only for those purposes.
Concerns about the potential abuse of personal data are far from unwarranted, for both private citizens and the organizations that hold their information. For example, the Ponemon Institute’s 2017 Cost of Data Breach Study finds that the total average cost of a data breach for businesses is US$3.62 million (€3.08 million). What’s more, the likelihood of being breached is rising at the same time that companies are dealing with an “information explosion,” collecting more and more data about a growing number of people.
In the face of these trends, the GDPR seems to have arrived at the perfect time – and it’s poised to have powerful repercussions. The global reach of the Internet means that even companies without a physical presence in the EU will feel the effect of the GDPR. Because the new regulations include provisions for “extraterritoriality,” any organization that collects personal information about EU citizens must comply with the GDPR.
What the GDPR means for your business
Organizations have generally taken the GDPR seriously and taken steps well in advance to come into compliance. According to a survey by PricewaterhouseCoopers, for example, 77% of U.S. multinationals are earmarking more than $1 million into their GDPR readiness and compliance efforts.
When the GDPR comes into effect, your business will have to demonstrate compliance in two key areas: individual rights and accountability. Individual rights refers to how you deal with issues such as erasing data or rectifying incorrect or incomplete information. Accountability, meanwhile, involves achieving ongoing compliance via collecting documentary evidence. And you probably ought to be able to respond to a query from a regulator effectively and quickly.
GDPR challenges and opportunities
The GDPR is a wide-ranging law that will have implications for your entire business, not just your IT department. Once the GDPR comes into effect, you’ll have to justify processing the personal data of subjects and show that it was done for appropriate business reasons. Again, the ability to generate audit and evidence quality reports quickly, and without impact to your business-as-usual operations, is key.
For example, departments such as HR, finance, customer service, and sales and marketing will need to justify keeping personal information about employees, customers, potential customers, and job applicants. Meanwhile, teams working in risk and compliance management and security must understand how the GDPR affects their initiatives and how they can work to lower risk and protect personal information. IT will need to know all this in order to respond to an auditor’s questions or to a citizen’s Digital Subject Access Request.
With so many affected areas of your business, the GDPR represents an opportunity to accelerate your efforts to harness the value of your data. Organizations that recognize information as a key strategic asset experience 46% higher revenue growth. Consider your preparations for the impact of the GDPR as an investment in your company’s digital future.
Find out more about turning GDPR compliance into a growth opportunity.