In this article, we look at what it means to be GDPR compliant and the benefits of doing so. Referring to the latest study carried out by the European project STAR II, Trilateral Research’s Data Protection Consultant Kai Matturi investigates the impact surrounding SMEs not being GDPR compliant and the effects it can have on their business.
There has been a lot of attention focused on the penalties for not complying with the General Data Protection Regulation (GDPR), yet it is the impact to business reputation and continuity that is likely to be much more significant in the long run. Becoming GDPR-compliant goes beyond avoiding fines. It means setting up processes and safeguards that enhance customers’ trust and avoid business disruption.
Falling foul of the GDPR will result in litigation and fines but hidden beyond these will be an incredible amount of disruption. If a business is hit with a lawsuit because it was not gathering personal data properly or failed to inform customers of a data breach, it will need to follow a lengthy process. This will involve gathering all the relevant business information to provide context, which will be used to investigate a potential breach.
If a business does not have a sufficient overview of its data, the above process will disrupt the ICT team, the legal team and the wider business, leading to opportunity costs, amongst many other issues. To avoid this nightmare scenario, companies should develop a proactive approach with respect to the GDPR.
The companies that took part in the STAR II project often used the word “catalyst” when describing the GDPR and its impact on their business. It is forcing many companies to do what they should have been doing all long – take ownership of the personal data that they collect and process.
Benefits in complying with the GDPR
There is growing evidence that companies who seek to be compliant with the GDPR are seeing benefits beyond GDPR compliance. The Data Privacy Benchmark Study published by Cisco shows that companies that have invested in customer privacy requirements, have reported shorter sales delays and fewer or less serious data breaches.
Furthermore, GDPR-ready companies that have suffered a data breach reported that the average number of impacted records was 79,000, compared to 212,000 reported by non-compliant companies.
The Cisco study also found that the system downtime associated with a breach was shorter in the case of GDPR-ready firms, and the costs of dealing with the incident were also considerably smaller.
While businesses in highly regulated sectors tend to lead the way when it comes to data governance and by extension data protection, the GDPR has levelled the playing field. Companies of every size will require a comprehensive view of all their data, making it easier to employ data analytics successfully. While companies will need someone to interpret the data patterns and pinpoint the resulting insights, it will be easy for them to catch up with those companies already employing these tactics.
Many suppose that companies will find the GDPR too restrictive or argue that it expects too much of companies. Yet the vast majority of companies that were involved in STAR felt that it is not prescriptive enough. Companies may know what they are supposed to do, but the regulation does not clarify how to do it. The companies surveyed by the STAR II partners indicated a strong preference for templates and other practical guidance on how to implement the GDPR.
The need for a roadmap to GDPR compliance
The biggest hurdle is taking the first step, by identifying the greatest risks to the company. No single technology solution is able to do this. It requires multiple solutions combined with both people and process to build a suitable technology roadmap. This should identify the worst risks and exposures so they can be addressed both under the GDPR and other industry regulation.
The fact is that most companies were almost certainly not 100 % ready for the GDPR when it came into effect on May 25th, 2018. Ensuring that a detailed roadmap is in place will help companies know what to prioritise, as well as demonstrating advancement if required to show that the compliance process is underway by a regulator.
The GDPR has brought many different sizes and types of companies into the regulated world. The future could be confusing for them – particularly if they focus on the risks rather than the rewards. Making changes as soon as possible to be among the early adopters in the market will do more than act as a differentiator from the competition. It will drive customer trust and open up valuable insights to accelerate business.
For more information on our commitment to Privacy and Data Protection please visit our Data Protection and Cyber-Risk Service page and for more information on the STAR II project visit the project’s website and contact our team.