Leveraging GDPR to Become a Trusted Data Steward
Article Synopsis :
Data-driven transformation is hitting a previously hidden obstacle: a growing fear of data misuse. The EUs response to these concerns is embodied in the new General Data Protection Regulation (GDPR), which went into effect on May 25th, 2018.
GDPR applies not just to EU companies, but to every organization handling data on EU citizens.
This paper from BCG and DLA Piper outlines key aspects of the new GDPR and suggests proactive approaches to increasing consumer trust around data handling policies and capabilities as a means of brand differentiation.
One of the key challenges with respect to data privacy is that consumer attitudes vary depending on the type of data at issue. What is considered sensitive in one nation isn’t considered sensitive in another. But general mistrust seems pervasive as BCG research shows that between 48% and 62% of consumers don’t believe companies are honest about how they use consumers’ data; and only 14% to 25% of consumers actively trust companies to do the right thing with their personal data.
The new GDPR, which replaces the current EU Data Protection Directive enacted in 1995, applies directly to every EU member state, eliminating the current tangle of data protection laws. Though the GDPR retains key aspects of the ’95 Directive, it also brings key changes, summarized as follows:
Harmonization: With a few exceptions, a single set of rules on data protection will be directly attributable to all EU member states, ending the fragmentation of national data protection laws.
Stronger Enforcement: Non-compliance could lead to heavier sanctions under the new regulation. Under GDPR, regulators are authorized to levy sanctions of up to 4% of a company’s annual worldwide revenue up to €20 million.
Extraterritoriality: The GDPR’s scope is broader, applying to EU companies and non-EU companies targeting EU citizens and markets.
Governance: The GDPR replaces notification of data processing activities with a more general obligation requiring data controllers to keep extensive internal records of their data protection activities. Larger firms must appoint a Data Protection Officer (DPO).
Unambiguous Consent: The GDPR requires the adoption of a more active consent-based model to support lawful processing of personal data. Furthermore, the GDPR refines the definition of ‘consent.’ Consent should be freely given, specific, informed, and unambiguous.
Transparency: Companies will have increased transparency obligations and, with a few exceptions for mainly smaller companies, should maintain a record of processing activities for which they are responsible.
Data Breaches: Under the GDPR, organizations must notify the local Data Protection Authority (DPA), and, in some cases, data subjects of significant data breaches.
Data Portability: Companies must ensure that personal data is readily identifiable and extractable so that data subjects can easily transfer their data files to a new service provider.
Right to Be Forgotten: Data subjects can require a controller to delete data files relating to them if there are no legitimate grounds for retaining those files.
Data Processors: Organizations that process data on behalf of other companies (i.e., ‘data processors’) must comply with a number of specific data protection obligations, subject to sanctions for failing to meet these criteria.
Data Protection Impact Assessment: Organizations must conduct a Data Protection Impact Assessment (DPIA) before processing personal data for operations likely to present higher privacy risks.
One-Stop Shop: The GDPR offers the possibility that an organization may nominate a single national data protection authority as the lead regulator for all compliance issues in the EU, in instances where the organization has multiple points of presence across the EU.
Privacy by Design, and Privacy by Default: The GDPR introduces the concepts of ‘privacy by design’ and ‘privacy by default.’ ‘Privacy by design’ means taking privacy risk into account throughout the process of designing a new product or service, rather than treating it as an afterthought. ‘Privacy by default’ means establishing mechanisms within the organization to ensure that, by default, only as much personal data as needed is collected, used, and retained for each task, and only for as long as needed.
The Route to GDPR Compliance
Companies can opt for different levels of complexity to ensure GDPR compliance, depending on size, data handled, and company aspirations. But some common steps exist:
- Review the GDPR and assess its applicability to your company.
- Conduct an assessment of the current state of personal data.
- Conduct a gap analysis and prepare a list of readiness actions.
- Develop the elements necessary for compliance.
- Implement the remediation plan, and prepare for privacy-by-design and privacy-by-default.
Moving from Compliance to Data Stewardship
Attaining the status of trusted data steward is not a herculean task. For this to happen, data strategies must embrace the following internal and external best practices.
Internal Best Practices:
- Ensure engagement by senior executives
- Establish company-wide data policies, and make business owners responsible for enforcing them
- Create robust protocols for data access and use
- Leverage tools for monitoring data quality and data usage
External Best Practices:
- Be on time for GDPR compliance (and let it be known that you are)
- Be more transparent and proactive in your data-related communications
- Go public with your key data use principles
- Measure and publish metrics about customer trust
Link to Full Article:: click here
Digital Insurer's CommentsAn interesting statistic contained in this report is that consumers are five times as likely to share data with a company they trust as with a company they do not trust.
Data is indeed currency in the digital age. The misuse of consumer data is costly in the short-term with heavy remediation expenses and fines. But it’s even more costly in the long-term as new regimes such as GDPR empower consumers to withhold data from untrusted sources. And it’s difficult if not impossible to monetize data you don’t have.
Link to Source:: click here