Security Think Tank: Don’t dismiss the business benefits of GDPR

When noise began to circulate around the EU’s General Data Protection Regulation (GDPR), many organisations focused on the cost-benefit to comply. With a large emphasis on the potential fines “of up to 4% of annual global turnover or €20m”, business leaders were encouraged to review and develop their data protection functions to avoid these eye-watering costs.

However, there was little acknowledgement that the intangible reputational damage of a breach can be more destructive for a company than the direct fine itself. Neither was much attention given to the potential advantages that the GDPR was intended to bring about, such as increased consumer confidence and insightful marketing and data management.

To achieve these benefits, it is important to tackle not only the legal and IT implications of GDPR, but also the cultural aspects of how the organisation handles personal data.

The focus should be on data protection as part of the whole, rather than solely GDPR. This is likely to be a gradual process, but should concentrate on how and, with equal importance, why certain data privacy processes should be followed in everyday activities. Rather than centring on the financial consequences of this, the focus should be on the benefits of doing the right thing.

Data retention policies, for example, have been seen as an extensive task for a lot of organisations and one that is difficult to monitor among employees. However, having a formal deletion process has serious benefits for an organisation, allowing it to manage and understand the data it holds, remove low-value data and, in turn, reduce data storage costs.

The improvement in data quality will unlock opportunities for more discerning marketing that deploys contextual campaigns to groups or individuals (subject to consent, of course) that are far more likely to be successful in revenue terms.

The more efficient and streamlined an organisation can be in its data protection processes, such as data discovery, data subject requests and data retention, the easier it will find it to ingrain these practices in the long term. Making compliance easier for everyone in the organisation will ensure that data protection starts to be seen as a part of everyday business activity, rather than an overhead required to avoid hefty fines.

Understanding and articulating the value of such processes and how they can be achieved efficiently is key in reaching an outcome that is effective in terms of both the business value and the compliance objective.

It is important to note that compliance is not about investing large sums into technological products that promise to meet all GDPR requirements. Of course, some technical solutions will be required, but the route to compliance in most organisations is likely to be a combination of legal and cultural change supported by technology, rather than the technical solution in itself.

The IT systems required to support these changes will probably be a mix of existing applications and tactical additions where a particular gap is identified. In this way, organisations can make appropriate decisions rather than over-investing in systems where a simple change to a business process is all that is required.

Organisations should not see the additional data subject rights and lawful basis requirements as simply updating privacy notices. Implemented with the right intentions, the GDPR can be a business enabler that revives innovation, sales and marketing processes. Targeted marketing, for example, allows an organisation to gain a better picture of consumer demands and facilitate future product innovation discussions.

In summary, although there has been a lot of focus on the financial consequences of GDPR non-compliance, the significant benefits that the updated legislation brings should not be dismissed. By making compliance within an organisation part of everyday processes, the GDPR requirements can help meet compliance, enhance overall security and benefit business processes.