In the last few years we have heard much about the power of big data, which is allowing brands and organisations to offer more tailored, targeted and personalised products and services than ever before. The benefits of this to the consumer may be obvious, but raise many ethical questions, and not just when personal data is in the hands of unscrupulous businesses.
It’s been clear for some time that data laws need to change and will be changing – but quite often the terms in which this is discussed is vague, sensationalist or highly technical. We’ve created a simple guide for those who want to know more about what the new regulation is, and what its impact is likely to be.
What is GDPR?
On 25 May 2018, the General Data Protection Regulation (GDPR) will be enforced across Europe, including the UK. The law aims to give citizens more control over their data and to create a uniformity of rules to enforce across the continent.
Why should businesses care about GDPR?
Although this law comes from the EU, it will have a global impact. It will affect any business holding personal data on customers, prospects or employees based within the EU, and such businesses need to be preparing for the change now. If businesses ignore this law, they can be fined up to €20m or 4% of their global annual turnover.
Giant fines aside, it’s worth remembering that data protection is more than a compliance issue. Customers care about their privacy and expect businesses to respect that. It’s good business sense to demonstrate that you ‘get’ this cultural aspect, as well as the financial one.
What are the new rules?
The rules are very complex, but our advice is not to be overwhelmed by them or to see the GDPR as your enemy. If you build the rules into your organisational culture rather than being tyrannised by them then they will help you manage data more effectively, internally and externally.
The rules can be seen as following 6 themes :
- Know what you have, and why you have it
- Manage data in a structured way
- Know who is responsible for it
- Encrypt what you wouldn’t want to be disclosed
- Design a security aware culture
- Be prepared – expect the best but prepare for the worst
What is the impact on businesses?
The impact for businesses will undoubtedly be huge. The new rules will require businesses large and small across the globe to transform their policies, structure and personnel to ensure compliance and adherence. Data protection and security has to be built into the fabric of organisations rather than farmed out or siloed. So while your security and compliance people should be very concerned with getting the detail right, every other colleague should care about and be aware of the principles, at every level and in every discipline.
However, as noted above, if businesses and organisations see this as an opportunity to represent themselves to their customers and target audiences as more responsible and empathetic on the topic of data this can not be a bad thing. This will be particularly true if it enables stronger relationship building because it potentially offers the basis for more equality and trust between businesses and their customers.
What does it mean for the consumer?
While many consumers may not be aware of the change, many will begin to notice some differences in how businesses and organisations communicate with them. Privacy notices will be more transparent, consumer rights will be upheld and publicised, and news about data breaches will travel faster and be harder to cover up. It may seem to some consumers that data is less secure after the change simply because the volume of news on it will increase. While they may be concerned about this, they will also be reassured by the sizeable fines for unscrupulous and sloppy data management.