There’s one date that sticks in the mind of most CIOs and that’s May 25 next year. Less than 13 months away, a momentous European Union regulation, the General Data Protection Regulation (GDPR), will be applicable in the UK, despite Brexit, and it’s poised to redefine data privacy.
This piece of legislation requires corporations to protect the privacy of personal data of all EU citizens. Additionally, GDPR imposes requirements for all data controllers and processors established in the EU, as well as any organisation that targets or markets to EU citizens. If they don’t, firms could face fines of up to €20 million or 4 per cent of global turnover, whichever’s greater. With the annual turnover for some of the world’s biggest tech companies reaching into the billions, this could result in some eye-watering penalties usually reserved for antitrust violations.
“The media is full of stories about how CIOs are full of fear and dread. Yes, it’s a compliance challenge. But it can also be a catalyst for businesses to turn personal data into a valuable asset, improve security and gain competitive advantage,” says Paul Prior, managing director in the performance analytics practice at FTI Consulting, a global business advisory firm.
GDPR will mark a momentous change in the way data is handled. All executives need to understand this law, since responsibility sits squarely on the shoulders of company directors. There will also be greater pressure on corporations to handle effectively any information they capture.
“This legislation requires executive-level buy-in and goes beyond the CIO to the board because implementing GDPR requires funding. This is not a box-ticking exercise. You need to demonstrate compliance, tools, as well as auditable, documented processes and policies for managing data,” says Mr Prior, whose company advises the top ten global financial services firms.
The clock is ticking. Various surveys show companies are in a kaleidoscopic state of preparedness depending on the sector, size and state of their digital maturity. Some have their heads stuck in the sand with little awareness, others are busy putting detailed systems in place.
“There’s an incredible amount of confusion out there. Amid the panic and the rush to do something, one critical element that’s often forgotten is considering the cultural transformation and awareness in how a company manages and deals with personal data,” says Sonia Cheng, head of FTI Consulting’s European information governance practice.
“Some companies are having to wait because the funding isn’t in place until next year. Many executives think because it’s in 2018 that they have a year, but in reality they don’t. Depending on the industry, size and the scale of personal data processing, there is a great deal of planning, awareness and co-ordination beforehand involving a lot of stakeholders to make this happen. It isn’t just a plug-and-play solution.”
FTI Consulting has deep expertise in this area and has worked with a number of firms to help build cross-stakeholder awareness, as well as advise organisations with a tailored pragmatic approach for their GDPR compliance journey.
One of the key themes, recurrent in organisations, that exacerbates the challenges of complying with GDPR is information governance. Many corporations increasingly understand the concept of information governance, but in practice struggle with the cross-stakeholder nature of the problem and how to deal with fragmented information and its accountability.
You need to build a remediation roadmap for GDPR compliance with an action plan that is realistic for your specific industry
“Approaching complex data problems in a pragmatic nature is key. We often advise clients to risk prioritise their remediation efforts and help accelerate the process with our expertise and technology,” explains Ms Cheng.
Yet FTI Consulting sees this new legislation as a significant opportunity to take a radical approach and rethink how businesses manage data throughout its life cycle.
“GDPR has the potential to spark off innovation, since it’s a real accelerator. Yes, it’s forcing the issue and there are costs, but this legislation will help companies manage information more effectively and help clean up legacy or orphan data. There has also been a lot of technological innovation that has long been used in the fields of information governance and e-discovery. This can help address aspects of the regulation,” says Ms Cheng.
“It is a major catalyst for change. The GDPR makes you ask questions such as what kind of data do you have, why do you have it and where does it flow? It will also provide the foundation for other services, including revenue generation and better customer service, as well as dealing with security breaches and preparing for cyber attacks.”
This legislation specifically states that organisations need automatically to report the loss of any personal data within 72 hours. They will also be obliged to respond to requests to erase data when a data subject exercises their “right to be forgotten”. Consumers can withdraw their consent to organisations storing or using personal data. Companies and organisations that process significant amounts of sensitive data will also have to appoint a data protection officer.
Another related aspect to consider is the e-Privacy Directive. This overlays the GDPR with a tighter focus on communications and internet services from which many of the EU cookie laws are derived.
“Changes to the e-Privacy Directive could take reform to the next level. These include changes to rules regarding direct digital marketing, the way location data is processed and the use of cookies. You need to understand how far you’ve got to travel to get your data house in order now. As the requirements are constantly evolving, it’s important to build in flexibility into your approach to help future-proof your compliance efforts,” says Mr Prior.
“It is crucial that privacy and security requirements are addressed holistically. You need to build a remediation roadmap for GDPR compliance with an action plan that is realistic for your specific industry and your corporate appetite for change,” Ms Cheng concludes. “Stay calm, get the facts about your situation and get started.”
Find out more how FTI Consulting can help your organisation understand and prepare for GDPR at www.ftitechnology.com/GDPR