While some are already looking towards GDPR as an opportunity, some see the regulation as a hindrance or an obstacle to overcome, and the remainder of businesses are still unaware of the pending rules. Here, Sarah Williamson, Partner at Boyes Turner and a speaker and author on data protection and security issues, discusses with Lawyer monthly the prospects of GDPR being an opportunity to seize.
The dawn of the new GDPR data regime is only ten short months away – and there is little doubt it has huge implications for the way organisations capture, handle and retain data about individuals. But aside from processes, companies also need to prepare for the impact that the regulation will have on the power balance between marketers and consumers.
In a change that could be bigger than the effect of market disruptions like the “TripAdvisor effect” on the leisure and hospitality sector, consumers will soon have much more power to drive business to or away from an organisation depending upon how they deal with their data.
In the TripAdvisor scenario, those hotels and travel companies that embraced the reviews system, which responded to the comments and that most importantly made changes, are the ones that have succeeded. The same will apply for GDPR – the organisations that embrace the principles of accountability and transparency will thrive, and those that do not will struggle.
Many businesses have already approached GDPR as an opportunity to transform the way they handle data – ushering in a healthier relationship between businesses, their customers, and the data that brings them together. This is one of the messages that comes across loud and clear from senior in-house counsel in a number of large companies in our GDPR: Getting ready for data’s new dawn paper, published on 16th July.
Even where the opportunity is seen and seized, there are many challenges and actions for the legal team. Every department in the business needs to be up to speed – if it is just, say, the super-engaged marketing team, you may have a large exposed flank somewhere else in the business. Contracts with suppliers and partners are being rewritten to take the GDPR into account. Being behind the curve or just “ticking the boxes” could see you lose out to a competitor who has grasped the potential for the new regulation to build more lasting and trusting relationships with consumers who have an inherent distrust of the way their data is stored and used.
This is the nub of the matter. The new regulation comes at a time when consumers are already distrustful and concerned about the way in which data about them is held, handled and aggregated. Consumers – as they did through the likes of TripAdvisor and Amazon reviews – are increasingly keen to seize back control of their interactions with those that they do business with. Data is set to become yet another battleground in this quest for consumer control. The ICO is also expected to launch a major PR offensive in early 2018 alerting consumers to their new rights as “data subjects”. They will undoubtedly be supported by a number of consumer rights charities launching their own public awareness campaigns. In the face of this information onslaught to your customers, you need to be ready to respond to enquiries and formal requests in a way that builds trust. And conversely to ensure that distrust doesn’t lead to a haemorrhaging of usable data from your business.
While it is understandable, given the importance of GDPR, panic is not the appropriate response. Nor is burying your head in the sand or putting GDPR in the “too difficult to handle right now” box. Instead, GDPR calls for cool heads and a calm and methodical audit approach. What data do you hold? What do you do with it? Where does it go? Who does it relate to? Do people know what to do if the data your organisation holds is at risk?
If your business is not yet ready for GDPR, there is still no need to panic. There is time to ensure everyone is asking and answer these questions. A GDPR compliance programme requires a joined up approach across all parts of the business to identify gaps in readiness, but also to build in a privacy by design and default culture. The legal department can play a major role – as it has in the likes of Aviva and Sky – in co-ordinating this approach across the business.
Doing it right will ensure you have a healthier approach to data. Instead of being disrupted by investigations, sanctions and reorganisations caused by repeated breaches of the new rules, your organisation will be able to focus on building on excellent customer relationships to achieve growth goals and business objectives. GDPR is here and it is here to stay. Forward looking, not firefighting is the way to approach GDPR – as so many of the companies we spoke to have already found to their benefit and competitive advantage.