During weeks and days leading to the introduction of GDPR consumers throughout European Union were flooded with emails from various companies, organisations and social media who urged them to take various actions related to their personal data or simply telling them what changes in their Privacy policies were taking place assuring that there was no need to take any action. With the increased territorial scope, tougher penalties for breaching data protection rules and extended rights to access data and right to be forgotten data subjects under the GDPR data subjects seem to be better protected from the personal data perspective.
For entities controlling and processing the personal information on computers or in structured manual files (data controllers and data processors) new regulation meant a lot of additional work and preparations before the launch of GDPR. Now it means stricter procedures and more frequent communication with persons whose data they use for doing business or providing education or health services. It all sounds like additional projects and money and effort spent on regulatory compliance but are there any benefits for those institutions affected by GDPR and can this regulation be treated as opportunity?
The answer is, yes. There are at least five areas which can be identified as benefits of new, improved data protection regulation within the European Union: better safeguarding of the company’s information capital, new rules are technologically neutral, pragmatic approach to personal data processing, opportunity to detect various irregularities and potential new business initiatives*.
- Safeguarding information capital – information about customers and consumers, their needs, preferences and behaviours along with technology used by businesses is one of the most valuable assets in the modern economy. It helps businesses to be successful and to differentiate their offer and the ways in which it is presented to the market. It provides a way to gain a competitive edge because of those actions. All valuable assets, digital or physical should be protected and there is no reason why personal information should not be treated in the same way. New data protection regulations have drawn attention of business owners and managers to this and resulted in several related initiatives which will improve general standards of safeguarding the information capital.
- Technologically neutral rules – GDPR does not specify which technology and organisational structures are to be applied by the data controllers and processors to protect personal information of data subjects. It is especially important from the business scale perspective. Smaller companies who collect limited date sets and run much lower risks related to data security will not be forced to use expensive tools to protect personal data. Large enterprises which store and process vast amounts of customer data every day will not be restricted from using the latest technologies and applications. On the other hand, new data protection rules will not be an obstacle to development of new technology and application of Artificial Intelligence (AI) in their business flows. Revised data sets will be ready for use of AI and customer data will be better protected which will benefit both businesses and consumers.
- Pragmatic approach to personal data processing – new data protection rules refer directly to the risk-based approach. It gives data administrators necessary space to manage risks involved in data controlling and processing and allows them to adapt pragmatic approach to data protection. It means less focus on formal compliance and more attention to the true meaning of data security.
- Opportunity to detect various irregularities – GDPR launch was a great opportunity to execute thorough data audits and detect irregularities related to data quality, security of key data and associated business continuity risks. It was a good moment to apply least privilege principle across an organisation (need to know basis) and remove unused data sets or review outdated outsourcing arrangements. All these actions benefit businesses and make them more stable and secure.
- Potential new business initiatives – activities related to GDPR implementation resulted in increased awareness of business owners and managers. Activities related to data quality checks resulted in new initiatives increasing competitiveness of a company or efficiency of an organization who now understand their data better and are equipped to initiate projects reaching far beyond compliance with new data protection rules.
GDPR is one of many recent regulatory changes affecting the financial services area that has drawn attention of businesses and other organisation within the EU. Lessons learned during the implementation as well as tools and processes created in connection with this massive change should work to the benefit of both European consumers and service providers who can treat it not only as a challenge but also as opportunity to secure, grow and improve their businesses.
*PWC Poland, 5 examples of benefits from introducing GDPR, Warsaw 16/02/2018