Pragasen Morgan, UK Privacy Leader and Noriswadi Ismail, UK GDPR Lead, EY.
1.The deadline has passed and it wasn’t as bad as many thought
In some ways at least, the hard work is over. The much talked about and often feared deadline of 25 May 2018 has now passed. The fact that it did so largely without incident is down to the significant efforts put in by management and technology teams over the preceding months.
While a pat on the back may be well deserved, there is certainly no room for complacency. The regulation is still evolving and just as, for the past 12 months, there have been dialogues and interactions between the business and data protection authorities in relation to technical guidance on GDPR, this is expected to continue. As a result, new responses may be needed.
It’s not only the regulation that is changing, your business may too. Any M&A activity, business model changes, deployment of disruptive technologies such as blockchain, artificial intelligence and robotic process automation, or even new suppliers being on boarded, will need to be put under a GDPR lens to ensure continued compliance. Essentially, meeting the EU’s new standards for data privacy is not something you can do and forget about; it needs constant attention to make sure your processes are working and remain so as your business changes.
Stress testing is key. It is perfectly possible that a process looks watertight and will highlight any problems, but have you run it under real conditions? By ‘socialising’ with real data you can find out if it delivers the level of compliance you need. It’s also vital that, in the rush to put the major building blocks in place ahead of the deadline, companies now extend their focus to areas which have so far received less attention, like the further reaches of their supply chains.
2. Now you’ve met the challenge, it’s time to unlock the opportunity
With the short-term demands of deadline day met, there is now time to take a breath and look at GDPR in a new, strategic light.
The opportunity can be summed up in one word – trust. Personal data is increasingly important to businesses, so the companies that consumers feel most able to trust with that data will have a competitive edge. Looking ahead, as technology continues to become a more and more integral part of everyday life at work and home, the value of that trust is only likely to grow. Successful companies will seize that opportunity with strong compliance systems that protect against the financial and reputational damage of regulatory breaches.
By being seen to not only comply with the letter but also the spirit of GDPR, companies have an opportunity to differentiate themselves in the digital age. This can be achieved by clearly communicating this commitment to customers, providing greater transparency about their rights and offering simple, easy-to-use interfaces for consumers to self-manage data consent, portability and erasure.
3. Don’t worry about divergence, get set for standardisation
As the regulation applies no matter where in the world EU citizens’ personal data is processed, many organisations are concerned about compliance risks when transacting with non-EU third parties. Typically, these third parties may hold or process personal data concerning EU staff and customers, yet are not required by their own jurisdictions to meet EU standards.
While this is undoubtedly a problem that needs addressing through revising contracts, audits of supply chains and validation of controls, in the longer term it may result in positive change. Given the size and reach of EU companies, Europe’s value as a market and global consumer concerns about data privacy, non-EU regulations may move towards the new standards, creating greater harmonisation and less friction.
Similarly, concerns over Brexit may be overplayed. As it currently stands, because the UK has triggered Article 50 and will no longer be part of the EU on 30 March 2019, it will become a ‘third country’, potentially impacting personal data exports from the EU to the UK.
However, there are considerable grounds for the UK to receive an ‘adequacy decision’ from the European Commission that will effectively prevent the UK from being treated as a ‘third country.’
Yet even if this is not forthcoming, ‘third country’ status should not present any insurmountable barriers to continued international data flows. Thanks to the dynamism and leadership of the Information Commissioner’s Office in upholding information rights and the adjustments already made by companies to ensure GDPR compliance, any additional burden should be relatively small.
So, in summary, while some GDPR compliance challenges persist, organisations can now shift their focus towards the opportunities.