If you are a CEO, board member or otherwise involved in delivering a business strategy or IT you probably feel like you are walking around with a GDPR (General Data Protection Regulation) gremlin hanging on your back. It’s whispering the words ‘consent’, ‘processing’, ‘big fines’ and lets no forget ‘privacy statement’ into your ears day in, day out and as May 2018 approaches that soft whisper may start to feel like it’s becoming louder and more aggressive. The gremlin is feeding on continuous marketing emails, blogs (but hopefully not mine!) and newsletters arriving in your inbox with the nightmare scenarios for your company if you don’t get a move on and turn your business into a GDPR paradise. Employing their services to do so, of course.
Now, I am not putting down or even challenging the nightmare scenario sellers. After all, if the breach at TalkTalk had happened after May 2018, rather than when it did in October 2015, we could have been reading about a multimillion pound fine and not the £500,000 one. So, there are certainly serious financial consequences to being found non-compliant.
This blog is not about predicting your company’s downfall after May 2018. Instead, it’s following in the same good news vein as the Information Commissioner’s recent blogs that helped to sort the fact from fiction and debunk several GDPR myths. (See the link at the bottom of the article.)
The good news
Implementing GDPR may not be as painful as some are making out, depending on your company’s IT security maturity. Many payment and e-money institutions will already be running best practise models and may just not be documenting it, meaning the cultural impact of becoming compliant will be a lot less than if implementing from new. Also, with the constant news coverage over the last few years of repeated data breaches and hacks of large global organisations, data security has been creeping its way up the priority ladder within most companies, especially those, like financial services firms, whose bread and butter depends on user data and being trusted.
For some, it may be just a matter of performing a gap analysis, reconfiguring some policies and procedures and introducing regular staff training.
On the other hand, some of the smaller firms subject to lighter-touch regulation, like payment institutions, may be feeling overwhelmed at having to do even that, especially when face to face with the prospect of having to implement across their business the 99 articles and their back up band the 173 recitals within GDPR straight after, or preferably alongside, getting PSD2-ready (second Payment Services Directive, to be implemented by 13 January 2018).
My advice is to take a common-sense approach and look at GDPR for what its designed to do: protect the data subject. The whole point of GDPR is to put the power back into the hands of the individual by giving them additional rights such as the right to rectification (Article 16) and the right to be forgotten (Article 17). To achieve this, you have to understand what data is coming into your business and how you use it.
And that’s the opportunity. Mapping the flow of data can provide an incredible insight into the processes your company uses to make decisions based on the information it captures. If done right, your business can benefit from understanding how data is shared both internally and externally, improve the efficiency of operations that use that data, get a better handle on how much the data life cycle costs and understand if you’re using that data to its full advantage.
And it’s not just about how you use data. Mapping the flow of data will give you a map of the processes within your business, the technology and systems that support the processes and the people involved. This exercise could give you the clear picture you need to resolve problems with processes that have previously been regarded as too complicated or too time-consuming to tackle.
So, by completing a data mapping exercise you not only set yourself on the highway to GDPR compliance (and yes, you do have to redirect precious resources away from customer facing activities to more internal ones) but also on track to gain valuable insight into the internal processes with the business. If you would like to discuss how your firm can better understand and manage your risk or any other compliance matter, contact me or one of my colleagues.
This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.