Since its introduction in May last year, the General Data Protection Regulation, or GDPR as it is commonly known, has attracted a lot of attention and not all of it good.
For many, it has been a source of confusion and concern, due in part to conflicting information given in the media and, in some cases, advice from well-meaning companies who were keen to capitalise on a new and easy revenue stream, but who didn’t fully understand the legislation.
For many organisations, meeting the obligation of processing personal data responsibly and compliantly doesn’t have to be a laborious or costly exercise, but some work is required. Sensibility dictates that it is better to do this work in a planned and budgeted manner rather than in a panic because something has gone wrong and the business wasn’t prepared for it. Some of the scaremongering mentioned previously relates to the multimillion-pound fines, but the Information Commissioners Office have always said that their goal is to promote, improve and support businesses to properly protect personal data, rather than go for their financial jugular.
At the end of the day, we are all consumers, service users, members, staff, patients, etc, and throughout the day, without much thought, we give our personal data on many occasions. Examples include giving our name, address and bank card details to buy a product, completing a form to register for a service or join a club, to logging into our social media accounts and posting comments, photos or doing those fun quizzes or questionnaires. As individuals, we have a right to ensure that our personal data is being responsibly processed, but unfortunately that isn’t always the case as we have seen recently with some very public data breaches and data processing infractions from well-known brands, including Carphone Warehouse, Uber, Starwood Hotels and who can forget Facebook and Cambridge Analytica, to name but a few.
There are many upsides to getting with the GPDR programme. Aside from the opportunity to yield operational efficiency gains, compliance also gives organisations a competitive edge. Consumers are becoming more savvy regarding their rights, how their data is being used and are making more informed choices about who they give their business – and personal data – to. Those brands who have suffered breaches have seen their reputation – and market share – decrease. Similarly, in a business context, companies are now asking their supply chain for assurances regarding GDPR compliance, which can make the difference in being selected as preferred supplier or not.
There is also a strong expectation for organisations to simply “do the right thing” when it comes to processing personal data. It’s not always about what you can do, but what you SHOULD do.
Hayley Jaffrey, Data Privacy & Quality Governance Director, The Quality Atlas