Why GDPR is good for your business!

Why GDPR is good for your business!

I have had many conversations about the negative implications of GDPR the “Stick”, but what about the positive implications the “Carrot”.

I felt after all the FUD that has been thrown around recently, it was time to extol the virtues of becoming compliant and the inherent benefits this brings.

After all, if data is meant to be the new oil, meaningful information is the new currency.

Any failure to protect customer PII (Personally Identifiable Information) may cost business reputation and loss of market. The huge penalty for damage of customer data impacts such as Confidentiality, Integrity and Availability would force an enterprise to implement adequate controls to maintain the enterprise’s reputation, surely this must be a major benefit in enhancing the relationship with the customer and striving for that word known as Trust.

Once the enterprise puts adequate controls to protect customer data, every customer who is native of EU and the visitor to the member of EU would have greater faith in the enterprise data protection policy. This will help to retain the existing customer and attract more customers to their business service. The customer would feel that their data is maintained and processed by trustworthy systems; thus developing a high level of trust within the consumer.

I also foresee a cascade of compliance with suppliers associated with the eco-system in requesting they also become compliant in order to enhance the value of the supply chain, after all, who wants to be the weakest link and potentially to be excluded from future business.

Security Incidents through proper data protection training for people who are accessing the personal data on a regular basis would minimize these scenarios, and I foresee this being part of their HR training review programme to ensure they are all good custodians of data, another area the business could then promote to its clients as a virtue of doing business.

Data analytics is an area we all know that is fundamental to many organisations for commercial benefit, working at its true potential the data needed has to be clean: data that is up-to-date; data that’s accurate; data that’s relevant; and when it comes to personal data, you need its use to be acceptable to each individual. Clean data means larger profits.

Many of the principles that would assist in refining data already exist under the present directive: data minimisation; accuracy; storage limitation. They haven’t changed much in the GDPR, a little tweak here, a small tightening there, but the enforcement mechanisms have changed dramatically in order to drive the correct behaviour which ultimately means significant benefits to an organisation, a little bit like taking medicine that does not taste nice, it is there to do a certain job that ultimately will make you feel much better.

In terms of increased transparency, companies will need to tell their customers what purposes they’ll be using their data for, and far more scarily, how long they will keep it for.

When the issue of Records Management in organisations from the public sector to high-tech start-ups gets mentioned, eyes tend to drift down to shoes, to the corner of the room, or indeed anywhere that will avoid direct gaze. Records Management is to most companies what cleaning their teeth is too many teenagers. Something they know they should do, but only get around to when chased by a grown-up.

Yet without this basic building block of data cleansing, systems are increasingly clogged up with out of date or inaccurate, and frankly often useless data.

But how can this be built into a competitive advantage? Surely if it applies to all companies then no one will be able to get ahead of the competition?

The point here will be not whether one has to do it, but the efficiency and the mechanisms employed.

Some, of course, will bumble along in the hope that it never gets noticed, that they won’t be hacked, their customers don’t care, or that the regulator will never come calling. But effective Records Management could have an impact on an organisation way beyond the data protection regime:

  • timely customer interactions
  • reduced storage costs
  • less wasteful marketing campaigns
  • lower security risk
  • lower likelihood of regulatory intervention

All are quite achievable but will only work as part of a cohesive data strategy involving a realistic assessment of the data you have, the data you need and the most effective use of it. But before these advantages can be attained a more fundamental question needs to be addressed: can we keep it safe?

Security is another principle maintained by the directive, although it is now called integrity and confidentiality. On an initial view apart from the name, not a great deal has changed, the language around the security of data has been maintained as “appropriate technical and organisational measures”.

The phrase gives little guidance, but also great freedom for interpretation. However, as ever, the devil is in the detail, further into the regulation a new section is introduced which emphasises the risk-based approach that the Council of Ministers was keen to introduce “taking into account the state-of-the-art, the cost of implementation and the nature, scope, context and purpose of processing as well as the risk of varying likelihood and severity”.

That’s quite a long-winded way of saying, it’s up to you guys to decide how you want to deal with this, but if you get it wrong we’ll be coming down on you like a tonne of bricks. And don’t forget the mandatory data breach notification that is included in the article of the regulation which follows.

Combined with the fines, remember them? Four percent of global turnover? It provides quite an incentive to get your security right, but as this will apply to all, again can anyone gain a competitive advantage from it?

I believe it will be possible, but only as part of that overall strategic view of the significance of data inside the organisation.

A question, for example, could be “what is the cost of encryption?” but what is the cost of not implementing it?

If you look into the near future, a major corporation is looking to refresh for example its marketing and PR partners, I would be very surprised if one of them won’t be emphasising its increased levels of security and that this will suddenly become one of the factors that could clinch the deal.

Ultimately taking GDPR seriously and implementing its regime in a structured and effective manner will provide a prize that has, to date, eluded many organisations.

However, we all know that this “trust” is not automatic for much of the information on the Internet. Yet we all use it, despite the fact we are not convinced of its trustworthiness.

Unfortunately for commerce, this nervousness about whom people are dealing with is increasing as stories of phishing and Internet fraud abound. But this very nervousness provides a market opportunity, one which a variety of companies and individuals can offer to help, from data analysis, process workflow, security, legal, etc.

At first sight, the GDPR just becomes a simple regulatory pressure on companies to do the right thing. But I believe that for those who can invest in, and more importantly truly demonstrate, high levels of compliance across all areas, there may well be a greater prize.

The possibility of creating an environment in which a customer’s trust is reflected, not just in a warm glow, but in the bottom line as well, could mean that carrot becomes mightier than the stick, where have I heard that before.

If you are unsure on what to do next or would like to know more? We can aid you in your journey towards GDPR compliance, click here to book a call with one of our consultants. Alternatively contact us here.