Data is the lifeblood of any organisation.
Today’s businesses couldn’t function without data. In fact, when we surveyed a group of business leaders in 2019, they told us they rely on data to inform their decisions every half hour.
And as with any important asset, protecting data is a top priority. Privacy is paramount and the introduction of the General Data Protection Regulation (GDPR) has crystallised the importance of data privacy and signalled an evolution in the regulatory landscape.
A confusing start
The introduction of the GDPR was a natural evolution of data protection regulation, but has heightened focus on how business collect, process and sell data, especially for sales and marketing purposes. Many businesses have been forced to review their approach to data and the issuance of financial penalties have hit the headlines. While the legislation was well supported, its implementation was still met with hesitation and confusion, with many unclear about requirements for consent and the implication for business to business activities.
Providing a clear framework
Although much of the GDPR discussion has focused on the challenges of adopting and adjusting to new legislation, the new framework provides a ‘gold standard’ and much needed consistency across Europe. When effectively implemented, the GDPR allows businesses to take control of their data and take a responsible approach to identifying valuable opportunities as well as managing risk.
The recent Data Privacy Day is a perfect opportunity for businesses to take stock after nearly two years of the GDPR. Seeking advice from legal counsel is essential to ensure your data practices are compliant. Several important things to remember when reviewing your current processes:
- Know your data protection definitions – while it may seem obvious, by having a good understanding of the concepts of “personal data,” “sensitive personal data,” “controller,” and “processor,” for example, businesses can transfer those to their understanding of the GDPR.
- Know your ground of processing – businesses must ensure that all data that is being stored has a legitimate purpose and they must ensure that they are properly executing the grounds relying on this.
- Know your high-risk activities – organisations need to adopt a risk-based approach to data processing activities. Cyber security needs to be at the core of protecting data with organisations carrying out a privacy impact assessment to determine the level of risk of particular activities.
- Know when to notify of a breach – not every type of breach requires notification. Businesses need to understand and review their breach management procedures to be safe.
- Know how to handle international data transfers – Companies with subsidiaries inside and outside of the EU should note the inclusion of Binding Corporate Rules (BCRs) in the GDPR. BCRs are a mechanism for intra-company transfers around the world – and are being given a legislative basis for the first time.
The new normal
In an increasingly digital-led and data-based world, the GDPR is a positive, progressive move forward for data protection legislation. Having an EU-wide set of regulations opens up opportunities for easier, faster, and more streamlined trade, while ensuring that data is protected and used in the right way.
Businesses with a strong and robust data management strategy in place will reap the benefits. Now is the time for organisations to take stock of their ‘data health’ and really understand how their data systems work. With an uncertain geo-political environment and ongoing discussions about the implementation of the ePrivacy Directive, it’s essential to have a full and transparent view of how data is used across the organisation.
Written by Nicola Howell, Senior Compliance & Privacy Attorney, Dun & Bradstreet
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
comments powered by Disqus