EU ORGANISATIONS have spent an enormous amount of time, money and resources to try and achieve GDPR (General Data Protection Regulation) compliance. However, it is clear that preparing to meet the regulation was not a one-off project, and that remaining compliant in 2019 and beyond requires continued investment.
The investment is likely to be substantial. A November 2017 report by Sia Partners indicates that it is likely to be approximately S$27 million on average for a FTSE100 firm. Organisations in the UK have woken up to the fact that to achieve continued compliance they must adopt a new way of life; after all, the risks of failing to be compliant are substantial.
The BA data breach of 21 August to 5 September 2018 raised immediate speculation about likely future fines.
Now we have seen tech giant, Google hit with a record fine for breaching GDPR. The approximately S$78.5 million fine issued by French regulator CNIL was triggered by complaints relating to how Google handled people’s data. CNIL said it had levied the fine for “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation.”
Although GDPR is an EU initiative, this does not mean organisations based outside the EU are not affected. GDPR will apply to any organisation established outside of the EU, so long as the organisation offers goods or services to individuals in the EU, or monitors their behaviour within the EU. This includes any organisation processing and holding personal data of individuals residing in the EU, regardless of the organisation’s location.
The Long Reach
This means, for example, businesses in Singapore or elsewhere in Asia that sell products or services online to residents of EU countries are subject to the conditions of the GDPR, which include certain rights of individuals and responsibilities of the organisation.
Penalties for breaches of the GDPR provisions are not imposed by the authorities in Singapore or other Asian countries, but by the EU itself. Administrative fines of as much as 20 million EUR or 4% of worldwide annual turnover of preceding financial year (whichever is higher) may be levied.
Businesses clearly need to understand and comply with the provisions of GDPR, but it must be recognised that the underlying objective of the regulations is to protect European consumers from abuse of their personal data. The average consumer in Singapore or other non-European countries does not benefit from GDPR protection, but as GDPR is seen as a gold standard for data protection, we may well see demands for similar standards to be applied here.
Up to now the focus when it came to GDPR was very much on likely penalties. It was very much about stick rather than carrot. That’s changing fast today with many organisations seeing GDPR as more of an opportunity rather than a threat. Organisations are hoping that the investment could benefit their business in a variety of ways.
ASG’s view is that businesses must continue to assess their GDPR strategy, paying particular attention to the following five key areas. Efforts made by organisations to follow these recommendations will not only ensure they comply with GDPR provisions and remain able to engage with European customers, but will greatly assist with the necessary process of digital transformation. Compliance with GDPR will avoid the “stick” of penalties and also serve as attractive longer-term “carrots.”
1. Data Governance And Privacy
Businesses are still learning to extend their data governance processes to GDPR and implementing the internal processes it requires. This typically involves a number of tasks — understanding the regulation, making organisational changes, such as appointing a Data Protection Officer, modifying business practices and — above all — knowing where is personal data stored, who is using it, how and for what purposes.
Data discovery and understanding, which is the core ingredient of data governance, is a Herculean task. As manual discovery has a greater risk of human error, and takes huge effort and time, it is vital that organisations put the right processes in place to ensure they have solutions to do data discovery and understanding using out of the box solutions.
2. Automation Technology
Investment in automation technology is needed to enable businesses to manage costs, improve quality, consistency and react quickly to opportunities, threats and challenges. The growing volume and variety and fast-moving nature of data means that nobody is going to be able to keep track of it and govern it without automated processes. Knowing exactly where data comes from, how and why it’s used and where it goes, requires businesses to deploy technology that automates the understanding of data, identifies changes and notifies data governance teams as needed.
In addition, artificial intelligence and machine learning provide capabilities that will help organisations use the growing volume of data more effectively, while also identifying and reducing compliance risk. Try as they might, they just won’t be able to achieve the same results through spreadsheets and word documents.
3. Quality Over Quantity
The process of identifying and culling data undertaken initially to achieve GDPR compliance should become an ongoing task as the quality of data and the ability to protect it is far more important than the quantity of that data. Organisations need to identify what data is working for them and what data is working against them to reduce the amount of data they hold. The remaining data is then likely to be more valuable and of more use to the business, while the risk from unused data is eliminated.
10% DISCOUNT FOR STORM READERS. USE THE PROMO CODE STORM18 WHEN BUYING TICKETS.
4. Data Lineage
To get the most from GDPR compliance, businesses should look to get a better grasp of data lineage and what it means to their business. True data lineage is a complete understanding of the data, its transformational nature, its associations and its lifecycle across the data estate and over time. While some talk about data lineage as though it were no more than knowing how data moves from “A” to “B”, true data lineage includes application, business and technical perspectives. It understands data transformation, not just movement and associates data to business meaning and processes. It’s the critical knowledge base that data governance and regulatory compliance rely on.
5. Deriving Added Value
In 2019, organisations should remind themselves of the added value GDPR compliance brings with it and look at how they can use this to their advantage.
Businesses should look at the bigger picture and focus on the trust that comes from well-governed data so that they can build confidence in its use while also mitigating risk.
This includes the potential to reduce direct costs, create efficient audit processes, manage and track the information supply chain and use insights from data to drive business decisions.
With the help of technology, businesses can create robust processes which ensure long-term GDPR compliance. A more complete and valuable understanding of data can be achieved and maintained with the help of automation. Although there is an initial investment in this technology, businesses must look at the bigger picture and the return on investment from saving both time and resource and reducing what can be costly errors. While compliance is required by law, organisations must begin to view it as an opportunity to improve their data governance processes rather than a burden.
Kaushik Bagchi is Vice President Information Management Asia Pacific, ASG Technologies.