Protecting Data is the Smart Thing to Do. It’s Also Good for Business
The road to data compliance is both challenging and rewarding. With the General Data Protection Regulations (GDPR) now in effect, here’s how companies should act.
Is your company data compliant? Well, that depends…
When it comes to Personal Identifiable Information (PII), has your company provided the same level of security for names, photos and social media posts as it has for financial information and passwords? Could your organization quickly locate a customer’s PII if they asked you for a complete record of it? If a breach were to occur, could your company identify and alert local authorities, as well as those affected, within a 72-hour period?
If you said no to any of these, your company might not be as compliant as you think.
Being a data compliant organization is crucial, especially while corporate cybersecurity breaches and misuse of private data continue to dominate global headlines. Consumers are becoming more aware of data breaches and are heavily scrutinizing companies that handle their PII. In a recent report from private security firm RSA, 82 percent of respondents claimed they would boycott a company that repeatedly demonstrated they have no regard for protecting consumer data.
It’s been a long road for organizations who are looking to develop a robust data governance strategy. But beyond the inherent issues of poor data governance, there is an ethical dilemma: should companies be allowed to hold such a wealth of user data?
A recent WIRED article shed light on some disturbing facts: Every two days, we generate as much data as we ever had from the start of time to 2013. In the U.S. alone, marketing companies have about 1,500 data points on approximately 96 percent of citizens.
It’s a sobering thought to know the wealth of information that companies are holding as data breaches continue to escalate. To draw more attention to the need for cybersecurity responsibility, the European Union (EU) has raised the bar for safeguarding consumer information.
Just last week, the General Data Protection Regulation (GDPR) went into effect in the EU. Though it’s already been discussed at length, the new policies seek to bolster accountability through 72-hour data breach notifications, improve data usage transparency and provide the same security measures for passwords and photos as it would for highly-sensitive information like financial and banking statements — among other objectives.
Businesses that breach the regulation can expect fines of €20m or 4 percent of global revenue, whichever is greater. But capital isn’t the only thing at risk. Noncompliant companies face reputational damage that can affect industry partnerships as well as their bottom line.
The question then, isn’t if you should become a more data compliant organization. It’s when, and the answer is now. For organizations trying to catch up, these are the hurdles that they’ll need to overcome.
The Five GDPR Challenges
The GDPR unifies and strengthens previous data protection regulations across the EU. It also applies to personal data exported outside of the EU, so multinational businesses and third party vendors that have access to such data will need to ensure compliance as well. To guarantee GDPR compliancy and strong data governance practices beyond, here are five operational challenges that we have observed thus far and the steps we suggest to ensure compliance.
Embedding Compliance Behaviors
Companies with a repository of user data are at a particularly high risk of being breached. Yet, many underestimate the effort required when implementing the GDPR operating model. Take caution, this will not be some paper pushing exercise. It requires an emphasis on educating staff members, empowering accountable staff, implementing communications strategies and establishing data compliance as an opportunity, not a hindrance. Companies that foster a cultural of compliance, however, will benefit from having a common goal embedded holistically throughout the entire organization.
Understanding Direct Marketing Consent
While being proactive about data governance is key, understanding fluctuating circumstances is crucial. There is no one-size-fits-all approach when it comes to direct marketing consent. A company’s approach to direct marketing depends highly on the nature of the business and whether it's in a B2B or B2C context. Defining the aspects of a data “requiring notification” can help improve transparency between any party that interacts with user data. Those that undertake implementation of a centralized consent management framework can look forward to having a much better understanding of the communications that are happening within their organization.
Want more insights from our latest content? Click here to subscribe based on your specific area of interest.
Setting “Sticky” Retention Periods
Companies will inevitably need processes and procedures for data governance moving forward, so it’s vital to establish them now that the GDPR has gone into effect. Traditionally, retention periods have been set at a departmental level. Now, the GDPR requires that they be set at a data level. Implementation of retention periods require strong data ownership and even stronger mobilization of the retention schedule, so while some companies may be reluctant to get rid of any personal data, establishing these new retention periods will be beneficial in understanding data reserves and mobilizing retention schedules with agility.
Understanding Intra-Group Data Transfers
For many businesses, the acquisition of user information is facilitated by vendors and third parties, some of which might be operating outside of the EU. The GDPR is restrictive over the transfer of data outside its jurisdiction, so companies have been opting for one of two options: Establish an intra-group agreement based on standard contractual clauses, or build up a set of Binding Corporate Rules. In the case of the former, every affected subsidiary must sign a contract, whereas the latter will require agreements for the supervisory authority in each affected region.
Complementing Technology Enablement
Unfortunately, many organizations have immature cyber-security capabilities, so the learning curve will be especially steep for those who have yet to catch up with their competitors. Because technology functions as an enabler for business and technology security, it’s imperative that organizations implement a comprehensive system that vets the input and output of data. While a difficult task, this presents an opportunity to guide data that flows to third-party vendors outside of the organizations. Companies should establish a robust audit checklist in the controller-process arrangements to ensure the safe passage of consumer data. Doing so will also help organizations understand how technology is used to facilitate the success of the business.
Compliance Results in Confidence
While GDPR compliance is key, ensuring the protection of user data is a business practice that will benefit your company long after the GDPR buzz. Customers are far more likely to remain loyal when they feel that an organization has their best interests at heart.
Companies should view GDPR compliance as an opportunity rather than a burden. The decisions that organizations make now will have a significant effect on the opportunity cost of implementing future legislation, both in the EU and across other economies. By working towards becoming a compliant organization, companies will gain a better understanding of data, a more authentic rapport with consumers and employees and ultimately, become instrumental in helping to create a safer, more transparent future.
© Copyright 2018. The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals.