‘Many companies see the implementation of General Data Protection Regulation (GDPR) in May next year as a big hassle, which, in all fairness, it is. But it's also a great opportunity,’ says Ivo Weterings, Senior Principal at Accenture.

‘It all starts with having solid knowledge of the do's and don’ts. Although, this is a bit of a conundrum since all legislation has yet to be finalized. But, despite the unknown, one thing is for sure: It. Will. Be. Big. GDPR is a great opportunity to professionalize your organization, optimize your data management and capitalize on the benefits’ 

Breaking It Down: GDPR in 5 Key Points

1. Organizations Are Obligated to Report Data Breaches

If your organization suffers a so-called ‘data breach’, you have to report it to authorities within 72 hours. For those who think “Russian hackers are not that interested in our data”; believe me, Russian engineers with bad intentions are often the least of your worries. It’s shocking, but true: most data breaches are by the hands of your own employees. An email that’s accidentally sent to the wrong person(s); an intern doing research for his thesis and gains access to information; or a third party you do business with who doesn’t comply with the GDPR are all risks of data leaks. A breach in data can happen right under your nose.  

2. Data Protection Needs to Be Part of The Organization’s Design

In addition to having to report data breaches, organizations are also required to actively try and prevent them, through both technical and organizational measures. There are various ways to go about this. For instance, through data anonymization; ensuring ongoing confidentiality; integrity, availability and resilience of IT systems; implementing measures to restore the availability of and access to personal data in a timely manner; and, lastly, the regular testing and evaluating the efficacy of technical and organizational security measures. All of the above needs to be institutionalized and documented in a Data Protection Impact Assessment (DPIA), and organizations are only allowed to exchange data with parties that explicitly comply with the new regulations.’

3. Customers Have Rights, Too

These, amongst others, include the right to be forgotten; right of access, right of data portability, right to rectification and the right to restriction of processing. Simply put, these rights need to be respected and, in the case of being violated, dealt with adequately and efficiently by a formal complaints division. For this to be effective, a deep insight in data processing and systems is required.

4. Not Only Do Customers Have Rights – You Need Their Consent, Too

Organizations need to be very clear about what their intentions are with their clients’ data. Moreover, your intentions need to be explained in an understandable, concise manner. First and foremost, you need a legal basis for processing data - often filled in through getting the customer’s explicit consent. Also, customers must be given the option to opt in or opt out at any given time. Bear in mind that there are legal limitations to the storage of certain data – racial, ethnic, political, religious, sexual, genetic or other sensitive personal information are strictly forbidden.

5. Limited Data Retention

The final prerequisite is quite possibly the most challenging: GDPR requires organizations to delete personal data after a certain period of time (usually seven years after the last point of contact). And while this might sound rather simple, the reality is that most IT systems are not built to erase information; they merely want to collect and store (more) data. Unfortunately, a ‘delete’ button simply does not exist! Furthermore, data gets distributed throughout an organization, often to places you didn’t even think possible – far further and deeper than ‘only’ in the database, network drive and emails, and it needs to be deleted from everywhere.

What Happens if You Don’t Comply?

If you don’t make sure all of the above is in order, your life becomes not only very painful, but also unaffordable. Organizations that fail to meet the criteria and are reported as data breachers can be subjected to high fines. Wondering how high these fines might be? Well, that’s not entirely clear just yet, but the worst case scenario could be a fine as steep as 20 million euros, or 4 percent of your total global profit – whichever amount is the highest. Plus – and possibly even scarier – once the law has come into effect, management teams can be personally held liable, and affected customers can claim compensation. Just think about what happens if one of your interns accidentally sends out a confidential email to the wrong mailing list – that’s a disaster waiting to happen.
 
In addition to financial strain, organizations also have to consider their reputation. Violating people’s personal data rights is extremely archaic: modern companies should want to be ethically responsible when it comes to this matter.

Take Note(s): 5 Advantages of Complying With GDPR

Regardless of what you might think after reading all these tips, dos and don’ts that are essential for your organization, I’d like to focus on the undeniable benefits that are basically gift-wrapped for you.  

  1. The chance to organize your data in the most efficient way; few things are as valuable and beneficial to your company as solid, efficient data management, structured integration and monetization of high-quality data;
  2. The fact that customers hold the so-called ‘right to rectification’ is essentially fantastic – what is better than customers correcting their own data? I personally still have to meet the first customer who calls me to inform me his/her data is incorrect – how great is that? 
  3. Another blessing: the fact that organizations are forced to get rid of redundant data, which, in the long run, makes for far more efficient data operations and leaves significantly less room for “noise”. Because, in all fairness, the added value of all these long-stored data is highly debatable anyway: how meaningful is it to still have contact details of a company that requested a quote over twenty years ago?
  4. Lastly, if you really want to keep certain data – there’s always a way: by anonymizing the data. As long as data can no longer be traced back to a person, all is fine; 
  5. Using this to drive your commercial positioning: “Customer in the lead” can be a powerful marketing strategy.

Is Complying With the GDPR a Costly Endeavor?

‘Yes, there is no two ways about it. Estimates say that compliance to all rules and regulations adds up to a once-off investment of 5 million euros, and another million per year on “maintenance”. Rules and implications are applied equally for all organizations, and even though SMEs won't be expected to pay such a big amount, they most likely also have to invest one million euros.

In Conclusion

GDPR is much more than just a long list of rules and regulations that all international organizations processing personal data of subjects in the European Union need to adhere to, it’s also a catalyst for change in organizations’ mindsets. It calls for a restructuring of their enterprise architecture and it offers a fantastic opportunity to unlock additional value. Even though it might be somewhat difficult to predict how exactly all will play out and if the dog’s bark will be worse than its bite, it’s time to face the music and make sure you are not out of tune.’