Strategy, Legal & Operations

How your business can use the GDPR to win and regain trust

How to use GDRP to regain trust

When the General Data Protection Regulation (GDPR) comes into effect on May 25th, 2018, it will give you an opportunity to win and/or regain trust from your customers when it comes to personal data and privacy. The latter was something very important to the legendary founder of Apple.

Back in 2010, at the All Things Digital: D8 Conference, Steve Jobs stated that the manufacturer of the iPhone had a very different view of privacy than other companies in Silicon Valley.

He said: “We take privacy extremely seriously. As an example, we worry a lot about location in phones. We worry that [for example] a 14-year-old is going to get stalked, or something terrible will happen, because of our phone.

“Before any app can get location data, we don’t make it the rule that they can get set up a panel and ask for permission, because they might not follow that rule. They must call our location services, and we put up the panel saying that this app wants to use your location data. We ask the user where it’s OK with them, every time they want to use it.

“We do a lot of things like that to make sure people understand what these apps are doing. It’s one of the reasons we have the curated apps store – we have a rejected a lot of apps that want to take a lot of your personal data and suck it up into the cloud.

I’m an optimist and believe people are smart – some people want to share more data than other people do. But ask them!  Steve Jobs

“A lot of people in Silicon Valley think we’re really old-fashioned about this. Maybe we are, but we worry about this. We’re moving more into the cloud, but privacy means that users should know what they’re signing up for – in plain English, and repeatedly.

“I’m an optimist and believe people are smart – some people want to share more data than other people do. But ask them! Every time. Make them tell you to stop asking if they get tired of you asking them. Let them know precisely what you’re going to do with their data.”

Regaining control of personal data

This view of privacy is central to why the General Data Protection Regulation (GDPR) was proposed in 2012 and will come into place in May 2018. At the core of the new set of rules is the move to give citizens back control of their personal data and to simplify the complex regulatory environment for businesses.

It’s about trust – the theory is that trust can be won with users using digital services, by giving them more information and control over how their data is used.

This is crucial for businesses that process sensitive data on a large scale. GDPR is an opportunity for organizations of all kinds to have a “seal of quality” for how they handle all personal data.

The size of GDPR fines will drive businesses to change

Orlagh Kelly is the barrister and chief executive of Briefed, a GDPR compliance and training specialist. She believes that from a very basic infrastructure and data handling perspective, there’s not much difference between the Data Protection Act 1998 and the legislation and requirements outlined in GDPR.

She says: “The eight data protection principles that existed in the old legislation all appear in the new legislation.”

However, the fines for non-compliance are much larger. There are two layers of administrative fines that can be levied – up to €10 million, or 2% annual global turnover – whichever is higher, or €20 million, or 4% annual global turnover – again, whichever is higher.

Orlagh says: “The real difference with how GDPR impacts businesses in a way that the Data Protection Act didn’t is the size of the fines.

“Any business that was a data processor wasn’t under threat of being investigated or sanctioned. Those businesses tend to have had done nothing in terms of data protection compliance because it was never a big risk for them.

“With GDPR, however, they can now be fined and sanctioned as much as any data controller, so that’s a big change.”

The threat of these heavy fines means there is much more a business case for organizations to change their digital systems and the way they process data.

“The Information Commissioner’s Office (ICO) can come in and audit a business,” Orlagh continues. The attitude previously of ‘let’s cross our fingers and hope we don’t have a breach’ has changed because the ICO can walk in, much like HMRC can walk in with your tax affairs, and ask to see how you are complying.

“The concept of accountability flows through GDPR. It’s no longer enough to comply. You need to at least be seen to be complying. GDPR sets what businesses need to do to meet that.

“These are largely paperwork-based items in relation to having correct policies, proper data sharing agreements or contracts with third parties and having a training register identifying when all of their staff have been trained, which needs to be audit-ready at all times.”

Below are three ways GDPR can benefit your business.

1) Drive your digital business transformation with GDPR

For many years, organizations have routinely collected user data with the consumer left in ignorance about how businesses were using their personal information. However, consumers are now savvier than ever on who stores information about them and why.

GDPR isn’t simply a set of new rules to adhere to but an opportunity for digital business transformation where organizations can become more customer-centric. The key principles of accountability and transparency require companies to find a right balance between the customer right to privacy and their legitimate business interests.

This means forward-thinking C-suite executives should not be thinking about the GDPR as a mere compliance challenge but instead as a positive opportunity for digital transformation.

It’s important that businesses get this right as this is critical to building trust as we move further into the fourth industrial revolution powered by data, new technology, artificial intelligence and machine learning.

This means there are huge challenges and opportunities. Like Steve Jobs suggested, those that succeed will embed respect for privacy as a core brand value rather than treating it as merely as a compliance issue.

Dave Rogers, business development manager at King of Servers, says: “Whereas digital business transformation is the transformation of business and organizational activities, processes, competencies, and models to leverage the changes and opportunities of digital technologies, GDPR is a profound transformation to protect personal data.

“It’s clear that both mirror each other in terms of approach and as such it’s very clear to see how GDPR is a catalyst for digital business transformation. GDPR presents organizations with a real opportunity to build trust with their clients as it forces businesses to shed light on the data they store and how they use this valuable data commodity.”

Where the objective of the GDPR is to support digital process automation as a wrapper around legacy siloed data systems, Dave believes technology can power much of the change needed – however, he is clear that technology alone is not the answer.

He adds: “Organizations must re-engineer their processes and activities, and develop their core competencies alongside the technology changes to fully comply with the GDPR requirements.

“In doing so, they have the opportunity to remove old outdated systems and practices and embrace new efficient methods. In other words, the C-suite must be responsible for leveraging digital transformation that is fuelled by the hot potato that is GDPR.”

2) Use GDPR to move towards cloud computing

Tim Hall is chief technology officer at Blue Logic and has a decade of experience in the IT industry. He believes GDPR is a great opportunity to bring an organization into the cloud computing age and opens avenues for progressive technologies.

Ambition and a passion to embrace the future is necessary to make your business’s response to GDPR a successful one,” he says. “If you can look past the short-term pain of GDPR compliance then you will reap the benefits of it in the long term.

“Businesses should approach GDPR as a real opportunity to build new processes and systems that can benefit the customer and the business.

“Those businesses that grasp this opportunity with both hands will set themselves up to not just be compliant with the laws but be ready to continue to innovate as digital business transformation continues to reshape how businesses engage and interact with customers.”

3) Use GDPR to transform your approach to personal data and regain trust

Dean McGlone, sales director at V1, says GDPR readiness requires organizations to reliably streamline all personal data held across disparate systems, network folders and potentially even paper-based storage.

Although businesses need to be vigilant, he doesn’t think it’s all gloom and doom. He says: “It also represents a major opportunity for businesses to transform their approach to privacy, harness the value of data, and ensure their organization is fit for the digital economy.

The GDPR is a positive catalyst [for businesses] to think carefully about their data processes, ensuring they treat personal data correctly and plug any gaps in compliance.

“As a result, they will also be able to build more trusted relationships with their employees as well as identify new opportunities, such as making use of unused skills among existing staff, or pinpointing training requirements.”

The result is a more engaged and digitally savvy workforce – essential ingredients to any successful digital business transformation strategy.