After years of discussion, anticipation and speculation, the General Data Protection Regulation (GDPR) is finally a compliance reality for businesses who deal with the personal data of the more than 511 million European Union citizens around the world. The GDPR created stringent new personal data protection rights and rules governing how business and organizations collect, use, store and share personal information of EU citizens. In other words, data privacy is now a human right in the eyes of the EU. The new rules apply no matter where in the world the company handling the data is located.
For organizations in the United States, it creates a broad new responsibility in how all personal data is managed. While we’re still in a GDPR learning curve, but the consequences for breaking the rules will be severe, ranging from warnings to massive fines. Most companies have yet to fully appreciate the full impact of GDPR since it took effect in May. Even by the end of 2018, more than half of all companies impacted by GDPR still won’t be in compliance, according to analyst firm Gartner.
Thinking about GDPR only as a punitive challenge, however, is a mistake. In reality, it’s a tremendous opportunity for organizations to gain a competitive advantage by building more trusted customer relationships. No matter where your company is on the path toward GDPR compliance, there are some common steps to consider.
Start with leadership awareness and education
By now, business leaders who are ultimately responsible for GDPR compliance should at least understand the basics of the new regulations. And it’s not just the C-suite that needs to be in the know to help assess risk. Because personal data is part and parcel to many aspects of modern business, the heads of all business units – IT, legal, HR, corporate communications, procurement and more – have a role to play.
Take stock of the personal data landscape
As businesses increasingly go digital, it’s safe to assume that personal data often plays an increasingly critical role. But having a clear view of what the data is, where it lives, what it’s being used for, and for how long, are just a few of the many considerations that must be addressed in order to comply with the GDPR. Merely having an inventory of data probably won’t be enough. And remember, we’re talking about all personal data – mostly digital, but paper documents and other so-called protected data sources are covered, too.
Implement smarter data processes and procedures
It goes without saying that getting right with the law is always in the best interest of a successful company. To really make this work, awareness and understanding are not enough. Implementing a solid data governance policy is the only way to ensure total transparency.
Once you understand your personal data landscape, it’s time to implement better processes to keep it safe and legal through technologies like master data management, proper data warehousing, and what to do in the event of a security breach or other issue.
Need help? It’s OK to ask
GDPR is just the beginning of a new era of tougher consumer data privacy rules and regulations globally. More will come from other regions and countries who feel the same way as the EU, if not stronger. This journey of personal data awareness, discovery and governance is in many ways just getting started.
Remember, this trend is a good thing for consumers and your business, if you can show them you’ve taken the proper steps to treating their personal data with the importance and respect they deserve and will soon come to expect. Of course, the additional complexity and burden this places on individual companies does not have to be shouldered alone.
There are many companies, such as Avanade, that can offer a helping hand in the process, providing the knowledge and understanding needed to help you adopt best practices in data protection and management for a better, more successful future.