The world of personal data is no longer ungoverned. Sweeping and far-reaching legislation has cracked down on how companies handle data. These changes are necessary to safeguard the future of digital privacy; however, businesses small and large are forced to make major changes they may not be equipped to enact with their current data infrastructure.
Can I become GDPR compliant without having to completely reconfigure my business?
GDPR: The Basics
On a very high level, the General Data Protection Regulation (GDPR) governs whose data you can hold, how it’s stored, and what has to happen in case of a breach. The subjects, which is to say the persons whom the data are about, now have the right to know exactly what data a company holds and to know what that information is used for.
This GDPR was under development for quite a long time. For years, it existed as a directive, but on May 25, 2018 the regulation officially came into effect. If you’re interested in the details, see the full text of the GDPR.
If reading pages upon pages of regulation isn’t your idea of a fun casual read, here are some key points:
- it applies to any organization that processes the data of subjects residing in the EU, not just companies based in member states;
- a subject must give unambiguous consent to allow the use of their data, and provide specific opt-in consent in special cases;
- if requested, an organization must be able to provide a machine-readable copy of the data at no cost to the subject;
- any data breach that could result in a risk to the rights and freedoms of individuals must be reported within 72 hours;
- subjects have the right to be forgotten if they withdraw their consent, if the data are no longer necessary, or if the legal retention period has expired, to name a few conditions.
Regardless of a company's support for these regulations, complying with them can present some practical difficulties. A staggering 60% of businesses in 2018 said they weren’t ready for the GDPR.
- reducing sales delays;
- enabling innovation;
- mitigating security losses;
- building trust;
- making their company more attractive; and
- achieving operational efficiency.
In an era of data breaches like those at Marriott International and Microsoft, shady dealings at Cambridge Analytica, and the sale of Zoom customer data on the dark web, regulations governing the security of personal information seem like a giant leap in the right direction (albeit one that’s catching up instead of blazing a trail). That said, as a business owner suddenly faced with major changes to your digital infrastructure, every article and clause in the GDPR can seem like another coin out of your pocket.
Changes in technological best practices can feel like the rug being yanked out from under your feet. But whether it’s establishing an online presence in the early 90s or deciding to wire your building for electricity decades prior, having the agility to evolve with these changes has always been good business.
Even without considering the enormous potential fines associated with not becoming GDPR-compliant, the greatest threat to your business could be keeping your head in the sand.
The perceived costs of complying with the GDPR may look high, but non-compliance is likely costing more than most companies realize, and the ROI on improved security is substantial. To date, there have been a total of 550 GDPR fines issued, adding up to almost $340M (USD). The largest fine issued so far has been given to Google Inc. for $60M.
During an Enterprise Data Governance Online webinar, Castlebridge CEO and Managing Director Daragh O Brien said, “all the things GDPR asks you to do are simply good information management practices ... they simply require you to stop, think, and implement appropriate means of governance.”
O Brien also notes that there is a missed opportunity cost in not getting your data in order, citing findings by Cisco which show that organizations with up-to-date privacy practices are minimizing their delay in a sales cycle nearly five-fold. A Cisco report shows that the average organization saw a twofold return on investment for privacy spending for 2020.
“Countless studies have found that the cost of poor-quality data in the average organization ranges between 10% and 30% of turnover as information needs to be checked, rechecked, and corrected before it can be used.” - Daragh O Brien
Privacy In Public
With the Cambridge Analytica scandal as only one of the decade’s major headlines regarding digital ethics, issues of data privacy and security have been thrust into the media spotlight. Never before has the public been more acutely sensitive to how their data is handled and who handles it.
From within your organization, the transparency that comes with GDPR compliance means a boost in confidence in your own data. From an outside perspective, a heightened focus on data security means a boost in customer confidence in your company. It’s no longer an added bonus for your buyers – it’s an expectation.
Managing data safely and responsibly is a necessary step for every business. It may consume time and money up front, but it yields proven and significant returns in revenues, security, and consumer trust.
Clinging to improper data management practices is like living in a messy house: nothing's where it's supposed to be, things get lost, and nobody wants to come over.
What Does it All Mean?
Love them or hate them, regulations like the GDPR are necessary. Enforcing them requires measures of security and standardization, but once they are established, companies will start to see the immediate benefit that standard data governance provides. It is an eat-or-be-eaten moment for most organizations, and the ones that can effectively manage their data will set themselves apart from the pack. Ultimately, data is a resource, and as with any resource, finding ways to unlock its potential drives a lot of value.
Rather than repeat the tired ‘data is the new oil’ maxim, let’s say data is nuclear.
Ungoverned or in the wrong hands, it can be incredibly dangerous. In the right hands, and even with good intentions, it can still be easily mismanaged. But careful regulation paired with responsible handling and processes means that those who are doing things correctly can generate incredible power.
Businesses that can't adapt to the GDPR, or similar regulations being ratified in other jurisdictions, are going to be left in the dust.
IAPP says you need “a technology to integrate full content of all data sets, structured and unstructured, establish relationships between the data sets, annotate it with metadata and make it instantaneously searchable.”
Forbes knows, “problems of this scale require technical solutions that can still be capably wielded by individuals for use every day...validating changes, monitoring configurations and remediating any errors or unplanned shifts swiftly.”
In summary, you need data that’s readable, reliable, stored securely, and searchable from a single place. You need to monitor, update, and track changes to the data. If requested, you need to quickly and economically produce any data you have on a subject.
It's not easy to come up with a data management solution that ticks all these boxes – we know because we've done it.
For companies running on legacy software, these requirements can seem prohibitively difficult to stomach, but even modern businesses are facing big hurdles. Most are not equipped (nor eager) to create an in-house system that can modify, standardize, and transport their data on the fly. Forget developing robust role-based access controls for data sharing; companies are still emailing Excel files from one floor to the next. This isn't just inefficient, it's dangerous.
If data will be integral to a company's continued success, finding a solution to these outdated ways of doing business is a real and present concern. Unless agile data management has been a core function of your organization, you'll need a solution that meshes with your existing framework.
As a company, we are proud to work with organizations that know data management is key to their success. By listening to their needs and observing the changing best practices for business, we have developed a platform to support heightened data security while simultaneously enhancing visibility, usability, and shareability.
Data security and data compliance require a solution that’s flexible enough to fit into any workflow, yet rigid enough to allow organizations to conform to the growing number of data privacy regulations. Ultimately, it's been our mission to do all the not-so-fun things involved with data so that businesses can look at data like an asset instead of a liability.
We’re committed to data security (and have the SOC 2 certification to prove it); we’re equally committed to making data privacy easier for our clients and users. The Namara Data Catalog is a big step towards satisfying the GDPR. The daunting aspects of data governance and regulatory compliance are easily handled by a single platform for access, distribution, and management. For more information on our Data Catalog, download the white paper here.
Here are a few results you can expect from the implementation of a data governance strategy:
- increased public and consumer trust as a result of transparency and security;
- higher standards that lead to better and more effective data practices;
- significant ROI on investment in data security; and
- a better foundation on which companies can develop the open data landscape.
Even if you sit outside the scope of the GDPR, CCPA, or other regulations, could it really be that long until similar policies impact businesses everywhere? As the benefits of the GDPR start to unfold, and citizen demand for mandated data privacy increases, the number of regulations will grow, without a doubt.
How big of a competitive advantage is it to say you’re ahead of the game when it comes to data protection? How many new opportunities will arise while the competition is catching up? For every forward-thinking business, solving for data now means getting ahead of tomorrow's problem.