Some South African organisations believe that the European Union’s General Data Protection Regulation (GDPR), which comes into effect on 25 May 2018, does not apply to them, simply because they do not operate from a European country.
But if your business has ever sold a product or service to someone living in the EU, or if you have a remote team member who works from their home in Germany, for example, then you will have to comply. And in today’s hyper-connected world, you could very well be doing business with someone in Europe one day.
What is the GDPR?
Much like South Africa’s Protection of Personal Information (POPI) Act, the GDPR makes organisations accountable for personal data protection. It governs how businesses can collect, process and store information that could lead to the identification of an individual, including names, ID numbers and even IP addresses and location data.
Essentially, the GDPR puts the individual at the centre of data protection, giving them the right to know how their personal data is being used, stored, protected, transferred and deleted, as well as the right to be forgotten.
This means that data protection will become a top compliance and strategic priority for companies. It also requires businesses to apply the same level of protection to personal data as they would to any other business asset – if not more.
The good news
Although GDPR introduces stringent compliance requirements, the basic rules for data protection remain the same. This means that compliance won’t require businesses to build something from scratch but rather calls for a revision of existing compliance procedures.
Anytime a business works to improve processes and procedures, certain benefits naturally accrue. Becoming compliant with GDPR presents businesses with a number of opportunities, including:
Improved data governance, which will drive business efficiency. In recent research conducted by SAS, 71% of respondents agreed that improved data governance will contribute to efficiency, and 37% believe that their general IT capabilities will improve as they seek to comply. Other benefits cited included improved business reputation (30%), improved customer satisfaction (29%), and a boost in the organisation’s external value proposition (29%).
Gain competitive advantage. Complying with the GDPR presents an opportunity for businesses to reassess their data governance policies. Having the right policies in place will improve the business’ analytical processes, optimise operational efficiency and reduce costs. And because the GDPR recognises data as a strategic business asset, and because personal data is at the centre of many analytics initiatives, compliance should be considered as a catalyst for digitisation – with the customer intelligence and risk management departments benefitting the most.
Achieve higher customer satisfaction. When organisations have a holistic view of their customer data, they’re able to engage in more relevant interactions, and to offer new services and initiatives aimed at improving the customer experience.
Despite these compelling benefits, a massive 98% of organisations experience challenges in complying with GDPR. In a word, that’s everyone.
The word ‘general’ in GDPR implies that there is some room for interpretation of the law, which makes it difficult for businesses to know what good looks like and if the actions they’ve taken to comply are sufficient – a challenge cited by 20% of respondents.
Another challenge is the ability to establish an inventory of what data is being collected, used and stored across the organisation. To do this, data needs to be identified and catalogued, while maintaining a record of the data lineage. This is an enormous task that cannot be done manually.
Other areas that need to be automated include the ability to operationalise requests like the right to be forgotten, data portability (when a customer switches to a new service provider) and consent management. Businesses need to implement new processes and a solid data governance framework to support these requirements, which, as I’ve mentioned, is not a bad thing.
Security will also become a crucial focus area for any business dealing with personal data. Organisations need to protect their networks against breaches and have systems in place to inform affected individuals and authorities if data is compromised. This is impossible if you don’t know where the data resides because you’ll be unable to prove whether and how well you protected that data.
Other challenges include finding stored data, managing access to data, and ensuring benefits to the organisation beyond compliance.
Our research found that, while 56% of respondents are prioritising compliance as the deadline approaches, less than half (42%) fully understand the impact GDPR will have. Of course, the biggest impact will be felt by those that don’t comply, with penalties ranging from €20 million or 4% of annual global revenue – whichever is higher. Losing this amount of money could threaten the future of any organisation.
Compliance will depend on how well a company’s business processes are organised and structured. A good starting point would be for businesses to appoint a data protection officer, who not only understands data privacy and how to apply the law but also understands the value of data as a strategic asset.
The GDPR will not only change the way businesses store and process personal information but also the way they run and manage data projects. This suggests that achieving compliance is impossible without solid data management and governance processes and systems.
By Obed Lesejane, Senior Solutions Manager: Data Management, SAS South Africa