I recently interviewed Nina Bryant of FTI Consulting to ask her what she was seeing six months after the implementation of the GDPR (the General Data Protection Regulation). It had been the cause of much nervous anticipation, and I was interested to hear how it was bedding down for FTI’s clients.
Nina Bryant said that despite the regulation now being in force, many organisations are still working their way along the roadmap to compliance. However, more mature organisations are progressing to asking how they can embed privacy at the heart of their business rather than merely treating it as an add-on.
We are beginning to see privacy by design, one of the key tenets of the GDPR, with companies asking how they could put privacy at the heart of the process when introducing new ideas and applications. Thinking about this may involve basic questions about the data such as “Do we have a lawful basis for capture?” to “How can we best protect the privacy of our customers?”. They are doing data privacy impact assessments and looking to see how privacy risks can be mitigated for existing processes.
I asked Nina Bryant whether organisations were seeing all this is an advantage or simply another burden imposed on them by the lawyers.
Nina Bryant said that companies were seeing visible benefits and returns on their investments. What began as just another compliance function has turned into a central concept. It is becoming clear that customers care about what information is held about them, and many organisations are issuing public-facing statements about how they use and protect their customers’ data, and determining their ethical approach to data collection and management.
The benefit lies not merely in compliance and in managing reputation, but also in operational efficiency. By defining data of value to protect, it is also possible to identify redundant or transitory data which can be deleted, and the reduction of data brings down the cost and risk derived from over-retention. The GDPR has not only introduced enhanced protection for data but also revived organisational interest in wider information governance principles.
GDPR has been a key driver for organisations to map their data, and to understand the data they currently store and how it flows across the organisation. Many organisations are discovering that personal data is scattered all over the place, and not necessarily in secure or appropriate places. As a result some organisations are also investing in data analytics tools that are helping them identify large volumes of data, often unstructured, which has no known owner and no classification, and thence no practical use. As they get a better understanding of that data, they can start to dispose of data which is no longer required.
There are other business drivers for analysing and classifying your data – if, for example, there is a business decision to migrate to Office 365, then there is no point in migrating large volumes of obsolete data. It is better to migrate only that which is useful and delete the rest or move it to cheaper storage.
The GDPR may have been the start, but is definitely not the end of legislative interventions with regard to data. The EU ePrivacy Regulation is coming up which, among other things, will force a focus on cookies and cookie management. However, this is not just an EU phenomenon – we are seeing more regulations from non-EU countries, of which the California Consumer Privacy Act is a high profile and may result in a Federal US law as well as countries like India introducing GDPR-like legislation.
GDPR is one of the highest profile changes of legislation in recent times, but its impact is far-reaching as we see data breaches make headline news, reputations and brands damaged beyond repair, and organisations challenged at board level to assess their exposure to data protection risk as well as their ethical approach to data use and sharing.