The world is dominated by the internet revolution, digital disruption, cross border transactions and consumerization today. Information and data exchange is rapid and occurring real time. Consequentially, the security concerns traversing through boundaries are bringing data protection and privacy issues, breaches and leakage of confidential information into the spotlight.
Global markets have been abuzz with reports and news stemming from data security, protection and privacy. For individuals and businesses alike, the sanctity of data in any form has gained prominence and Governments across the globe are taking rapid strides to strengthen regulations and enhance governance. EU’s upcoming General Data Protection Regulation (GDPR), with its purview across regions and jurisdictions, is expected to bring several changes in how businesses deal with the personal data of EU citizens. The regulation replaces the EU Data Protection Directive and aims to bring regulatory consistency across the region. Effective from 25 May 2018, GDPR will make every entity accountable and responsible for EU citizens’ Personally Identifiable Information by offering increased protection and giving them the right to manage and control their personal information.
A burden or an opportunity?
Organizations can either look at GDPR as a burden or an opportunity to build stronger compliance mechanisms for better data governance. While many EU corporations are still grappling with the changes required; organizations in other regions such as Asia, Africa and US holding EU data also need to understand the regulation to be compliant. News reports show many new age, data-driven corporations are recognizing the costs attached with compliance – technology and system upgrades, revamping consumer policies, hiring staff and skilling and training. However, these will outweigh the potential cost of non-compliance. The financial and reputational repercussions are significant – organizations can jeopardize trans-national business relationships, undergo litigation proceedings and take a hit with the associated penalties that will directly impact profitability.
The risks with GDPR non-compliance or in event of a data breach can call for severe warnings and penalties which include:
- Written warning notices in cases of first and non-intentional non-compliance
- For serious infringements, a maximum administrative fine that is imposed is up to €20 million or 4% of annual worldwide turnover, whichever is higher
- There is a tiered approach to fines. For example, a company can be fined 2% for non-compliance with certain aspects – records not being in order, no notification provided to the supervising authority and data subject about the breach, inadequate impact assessment and others.
Additional risks include,
- Increased scrutiny by regulatory bodies
- Potential litigation in the form of class action lawsuits against organizations that are data controllers (those collecting consumer data) or processors (those servicing it)
- Reputational risks as breach of sensitive customer data can have an adverse impact on the brand image
Compliance through Information Governance Programs
GDPR mandates organizations to ramp up their existing methods and techniques when processing an individual’s personal data. The six principles of the regulation that should be followed by organizations during this process are:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality
Revamping and reorganizing data can be done through an Information Governance Program which will bring in a structure, offer accountability of ownership and enhance understanding of data existence, location and server management. It can also build stronger cyber security controls, and more importantly, fortify the organization’s compliance with GDPR.
Information Governance Programs have policy defined and technology led methods to help organizations in strategic decision making. This will help maximize the value of information assets as well as mitigate associated risks. These programs can also be a strong catalyst for addressing accountability of data, ownership and bring down the costs of managing the data itself.
Benefits of an Information Governance Program are:
- Improving visibility of customer privacy data
- Increases efficacy of cyber programs
- Mitigates risk and concerns around non-compliance
- Adopting a global approach beyond EU
- Could simplify efforts to drive compliance
- Mitigates litigation related risks
- Disposing junk data
- Reduces the scope of data volume related to compliance
- Improves operational efficiencies
- Possibility of a higher return on investment as it can lower IT storage and maintenance costs
- New data maps could streamline:
- Insider threat focus and detection
- Breach response
- e-Discovery by simplifying the data collection and processing methods
- Knowledge management
- Creating a ready inventory of Personally Identifiable Information can enable tracking other critical information assets with broader risk and compliance concerns
- Improving cross-functional information flow and cross-system reporting to deliver new insights in:
- Post-marketing surveillance
- Supply chain efficiencies
- Return on sales and marketing spend
- Improving visibility of customer privacy data
The future of data protection and privacy can be strengthened through regulations such as GDPR and organizations’ ability to achieve compliance with it. Information Governance Programs can be crucial to pave the path of compliance by building an operational program to bring efficacy and structure with GDPR. The results can be revolutionary, with organizations turning more ethical, transparent, growth driven and more importantly, organized.