GDPR: Moving Beyond Compliance

While organisations were required to put processes in place a year and a half ago to comply with GDPR, their work to ensure data privacy is far from over.

Rather, privacy continues to be the most important aspect of data management as consumer concerns the security of their personal information grow. Although GDPR was introduced to protect consumers’ privacy and safeguard their data, it also seems to have increased awareness of the misuse of data. Consequently, people have begun to realise the importance and value of their personal data and, as a result, are demanding greater control and increasingly becoming unwilling to give up their information. In the first nine months of GDPR, regulatory bodies issued fines totalling €56 million for breaches, however, failing to comply with GDPR could also cost these organisations the trust of their customers. Therefore, businesses must continue to enhance their processes and policies to sustain a stringent data privacy programme and ensure the proper protections and safeguards are in place. Here are two key ways businesses are driving continuous improvement around the issue of privacy:

Establishing new positions

There is a growing complexity concerning who should have access to personal information, how it can be used, and whether data should be used for anything other than its initial purpose, even if it is for the benefit of the consumer. Consequently, businesses must take a clear view on these issues to maintain trust with their consumers. Yet, while the subject of privacy is a board-level and senior management risk issue, barely half of organisations have adequate controls in place. To change that, it is vital that the message of data privacy, the support for controls throughout an enterprise, and the company’s stance on the ethical use of data comes from the top. 

As organisations begin to look beyond compliance to drive competitiveness through the governance of personal information, the issues of trust and ethics become more crucial to the success of the business. Personal information is increasingly being seen as a critical asset, money. Organisations, like InterSystems, are appointing senior people to lead the governance and ethics roles, appointing either a Data Protection Officer, a Trust and Ethics Officer, or a Chief Ethics Officer to compliance and trust are maintained. The creation of these roles sends a strong message that trust, and by extension, privacy, security, and ethics, are at the forefront of the culture of an organisation. But more than that, this approach moves the discussion on from businesses purely being interested in being compliant, to focusing more on operating ethically and doing the right thing. 

Making everyone accountable

While more organisations move to develop a senior leadership approach to data privacy, in the year and a half since GDPR, a growing number of businesses are trying to put data privacy on the radar of their entire employee base. In these organisations, it is becoming everyone’s mission to have an understanding of provenance and the use of information, with everyone taking accountability for how the organisation collects, uses, and shares personal information. The idea of accountability is that “we say what we do and we do what we say” and, importantly, “we stand by doing what we do.”

This culture of accountability is something that is also being extended to how organisations talk to their customers about data privacy. Increasingly, businesses are being open and inclusive, telling customers about what they are doing with personal information and how they are protecting it. In doing so, they recognise the need to close the gap in terms of the expectations, responsibilities, and actions relevant to privacy protections and information ethics. With big data breaches, such as recent ones that exposed the data of almost 400 million people, it is no wonder that the general public is becoming wary about parting with their personal information. That said, it may be possible to overcome the distrust these occurrences tend to inspire, by taking an open and honest approach to talking to customers about how their personal information is used, stored, and shared. The issue of trust is something that organisations have been coming back to time and again since the introduction of GDPR and is echoed by leaders like Shell CEO, Ben van Beurden who believes that transparency and ethical behaviour are integral to gaining public trust. 

With the groundwork for data privacy already laid, thanks to the need to be GDPR compliant, businesses must now look at how they can build on this to preserve customer trust. Ultimately, maintaining data privacy is an ongoing battle and organisations must take action to move beyond mere compliance towards trust and ethics. By putting the right processes, people and culture in place, businesses will be better placed to maintain an effective data privacy program in which trust and ethics drive decisions on the processing of personal information.

About the Author

Ken Mortensen, Data Protection Officer, InterSystems. Strategic engineering and legal leader with breadth of successful experience in Chief Privacy/Security Officer & General Counsel roles implementing knowledge governance strategies addressing operational and risk management based architectures that incorporate privacy protections, security safeguards, and knowledge frameworks.

Featured image: ©Andrey