So, the General Data Protection Regulation (GDPR) deadline has passed, quietly, and without disastrous consequences for most of us. The hackers did not use it as an opportunity to show their might, thankfully, and neither did the data protection authorities, also thankfully perhaps!
In this blog, we will look briefly at some of the opportunities that can be gained from implementation of the GDPR, as it is important to be aware that the GDPR does have a bright side.
As you know, the GDPR implementation deadline was not the end of anything, rather, May 25th, 2018 was really the launch date of a new code for conducting business that involves handling personal data – which, in effect means most business.
By now, the GDPR is already well rooted in many organisations, and if yours is not one of those, be aware that you will encounter the GDPR through one means or another. For those organisations that provide goods or services or run a club, charity or institution, or monitor the behaviour of individuals in the EU, there is no escaping the GDPR.
If it is the thought of all the work involved that has caused you to be apprehensive about this new law then perhaps you will be glad to know that there are rays of sunshine associated with the GDPR.
GDPR – THE BENEVOLENT ASPECT
Once you have taken some first compliance steps, which have been addressed in an earlier blog , do you know that as time goes on, your organisation can use compliance with GDPR as an instrument to:
These are only the superficial benefits. Here are some of the less obvious benefits that your organisation can enjoy.
GDPR forces organisations to clarify data processes and ‘clean up’ data. Up until now, many companies have continued to use old/inefficient systems because implementing new systems, or migrating to a new system, is considered too difficult because of poor data management. This will be less of an issue post-GDPR because retention policies will come into force, allowing companies to manage data better in the future.
Following GDPR mandated steps, companies will also have a better understanding of sensitive, outdated or redundant data, plus reduced risk of breaches as appropriate storage environments will be allocated for the valuable personal data that is worth retaining or must be retained.
There is also the benefit of a reduction in costs because of no longer having to store useless or outdated information.
But it is important to look at the other side also…
WHAT WILL HAPPEN IF YOUR BUSINESS HAS NOT IMPLEMENTED THE GDPR
If you have not already started a GDPR implementation project, your business contacts are a likely means by which you will be prompted to start integrating the GDPR into your organisation.
Or, you may unintentionally invite the GDPR into your organisation via a visit from the data protection authorities, prompted by a complaint from a dissatisfied customer. Our next blog will give an outline of the rise in complaints to the EU data protection authorities since the GDPR has come into effect.
To have a data subject make a complaint against you is not a desirable situation. The Data Protection Commissioner has recently documented it as an enforcement priority to investigate all complaints “While our investigative and enforcement activities will be primarily directed by complaints and breach notifications received by DPC Ireland….” so complacency is not an option.
The best way to prevent a complaint by a discontented data subject is to demonstrate that your organisation is committed to complying with the GDPR, which, after all is designed to protect fundamental rights of individuals.
And even if somebody exercises his or her right to make a complaint to the data protection authorities, an organisation that can demonstrate how it has made reasonable efforts to meet its obligations to data subjects will be in a more favourable position from the point of view of financial penalties than an organisation who cannot show that they have made any effort to comply with the law.
START NOW TO IMPLEMENT THE GDPR
If you have not already started to comply with the GDPR, first assign a team to take on data protection responsibilities. Putting resources in place to oversee the application of the GDPR across all sectors of the organisation is a necessary first step. Having those resources assigned at the start will also ensure that you have the capability to deal with data security incidents and data subject requests in a timely manner.
Note that for some organisations, for example public authorities and organisations that process personal data on a large scale, it is mandatory to appoint a data protection officer. For more information on this read the section of the website of the Data Protection Commissioner at: www.dataprotection.ie.
A summary of the initial GDPR implementation steps is as follows:
Why not decide to seize the financial rewards and business opportunities to be gained from fully implementing the GDPR rather than viewing it purely as an addition to your workload.
The deadline for it to become law has passed, but the legal obligation to comply with this law will not pass by any organisation. Welcome it, and your organisation will be stronger, leaner and more valuable in the long run.
You can reach us at: