GDPR interest hit new heights this year, outranking Beyoncé in Google search interest. Panic started to set in as businesses faced the threat of being fined up to 4 percent of their global turnover for failing to comply.
Although it comes with its challenges, the regulation marks a positive step towards the business community taking customer privacy more seriously and gaining greater value from their data.
But what does data protection look like now the GDPR deadline has passed and how can businesses use the shake-up to their advantage?
See the positives
A recent study found GDPR would make up to 75 percent of customer data held by UK companies ‘useless’. While such extreme database depletion may sound disastrous, in reality many businesses have wasted time and money communicating to people who have never (and will never) engage with their brand.
Ultimately, for many businesses this ‘data detox’ is well overdue. They’ll be left with only quality leads which, in turn, will simplify compliance with data subject access requests and reduce costs for things like data storage, back-ups and security.
There are always winners and losers where regulatory changes are involved. The winners will be those who are open to the opportunities GDPR offers to refresh key business functions and the losers will be those who neglect to take the law seriously.
The public has never been so conscious of their data protection rights or held such high expectations of companies they engage with. Proving you take their privacy seriously will enable you to build trust with both the converted and more skeptical customers.
Make no mistake, GDPR is not to be palmed off to your IT team. It might be surprising, but according to the ICO, four of the five leading causes of data security incidents are due to human errors and process failures.
Now’s the time to roll out data protection by design across your whole business, refreshing the way things are done at all levels.
Introducing secure new business practices can be challenging, with the risk of overwhelming employees if the policies are too dramatic and staff don’t feel they’re getting the right support.
There’s also the problem of keeping up with the evolving cyber threat landscape. Not only are attacks becoming more intelligent, but there are also techniques like social engineering that continue to exploit people’s trust to obtain confidential information voluntarily.
How can you introduce new security tactics while keeping staff on side? Training workshops hosted by experts are a must. Courses like those at IAPP are a good test of how well your employees can apply their cyber security knowledge.
Additional tactics like sending fake spear phishing emails to the company network to see if anyone clicks on the links or flag it to the right person are simple but effective.
Make sure all employees are informed of any updated protocols to keep defenses strong and promote accountability. Having a clear reward and disciplinary process also gives employees an extra push to make the right decisions when it matters.
Previously, data protection legislation focused solely on the controller - or the company ‘owning’ the data - not the actions of third parties with access.
However, under GDPR, controllers worry they may face unlimited liability for a breach experienced by data processors on the grounds they failed to exercise due diligence. An obvious example is the sharing of data with an online email archive or a payroll company.
You can reduce the risk of liability damages by mapping where the data you’re responsible for lies along the supply chain and what your suppliers/partners are doing with this data.
Protecting yourself essentially means ensuring you’ve undertaken a level of diligence that is appropriate to the risk that supplier presents to you. Data processors can also help by notifying you of a breach immediately and providing you with the support to respond effectively in any situation.
It’s also important to clearly outline what data is being shared, what it can be used for, how long it can be kept and what will happen after the contract ends. This will help you notify the ICO of the compliance steps you’ve taken if the worst-case scenario does occur.
Investing in cybersecurity insurance which includes first-party and third-party coverage is an extra step you can take, to protect against the damages of breaches originating in-house or along the supply chain.
GDPR isn’t just another piece of red tape. It represents a real chance for businesses of all sizes to future-proof their processes, monetize data in an efficient (yet fair) way and build loyal relationships with suppliers, partners and customers.