Tick the box on GDPR or go above and beyond?

Unsolicited use of personal data can cause great reputational damage. Some companies discover this the hard way. On top of that, new laws on data protection came into effect in May. How should a responsible company act?

By now, many organizations that store and use personal data have taken the necessary steps to ensure compliance with the EU’s General Data Protection Regulation (GDPR). For example, by updating their privacy statements and implementing solid internal processes. Other companies are on their way to GDPR-compliancy while others haven’t yet started. In recent research by software company Talend, only 35 percent of all companies in the EU responded to data requests as prescribed in the new regulation. Much-heard arguments for not initiating GDPR-projects are a lack of resources and a willingness to take a calculated risk to be fined at some point. This is understandable, as the authorities cannot audit everyone at once. Nevertheless, a risk is still a risk.

Misuse of personal data

The extensive use of personal data by big tech companies has certainly fuelled the backlash they now experience in the media and in the political arena. An example being the public outrage that followed the shameless manipulation by Cambridge Analytica of large demographic groups with personal data of Facebook users. It has become clear that unrestricted by law, misuse of personal data can have a destabilizing effect on societies. For this reason, a deeper appreciation of data protection and privacy as a human right has taken root in civil society and businesses alike.

GDPR-compliance is not a one-time effort. When you start your GDPR-journey as a company, you first have to get an overview of the data you have. Perhaps this will bring about the realization that you don’t need all these data. Often, there is a lot of obsolete and outdated data in different places that need structuring and cleaning up. One of the basic principles of GDPR is to prevent storing excessive amounts of personal data. For example, why store a home address when you only need an e-mail address or telephone number? Store only what you need

Many companies are aware of the necessity to be transparent about their data use, towards the very people of whom they collect it. But it’s just as important to create a culture around data privacy and protection within your own organization. Make sure that everybody understands the ‘why’ of it – it’s about the freedom and rights of people – and check this regularly using the processes that you have set up. Everybody is responsible, beginning with the CEO but certainly not ending there.

Commercial value?

Does GDPR-compliance have commercial value? Definitely. It’s in your best interest if your customers believe you are doing the ‘right thing’ by respecting their rights. After all, you can only build a sustainable enterprise on trust. Solid processes regarding the use of data also result in better quality data, that allows you to have a better overview of who your customers are. An obvious example is having the right contact information. Next to that, knowing where the data is that you are looking for, can dramatically improve the efficiency of the company processes.

There is commercial value in implementing and maintaining clear processes around GDPR. And there is also value in the trust you build with your customer. There is a risk if you don’t and that is to be fined by the supervising authorities and/or experiencing bad PR following a data breach. You have to balance these costs to the costs of doing things right. Do the math and the answer becomes clear very quickly.


Author: Patrick Tahiri, Security Compliance Manager.

Patrick Tahiri has a background from IT Operation and technology management. His key competences and area of responsibilities are the security of PCI environments, ISO 27001 audits, implementing information security procedures and GDPR consulting.