The GDPR: Burden or opportunity?
The newly adopted GDPR will bring increased harmonisation to data protection regulation in the EU from summer 2018. For the consumers this is good news, as their rights as data subjects will become more transparent and will be enforceable towards all companies established or offering services in the EU. For companies, the rules represent increased requirements to legal compliance. Does that represent a burden or an opportunity? Here is our reflection on the new rules.
Consumers or other data subjects rarely hesitate to submit personal data as long as it is logical and for their own benefit. The crucial point is how companies use and manage the data and that the data subjects can get access to information about themselves, have data updated or deleted and transfer the same data to another vendor if wanted.
With the GDPR’s clear and harmonised rights for data subjects, companies will compete based on privacy in the future, and consumers will undoubtedly choose the options, which give them the better data protection. If companies get it right, they may even learn that there are new business opportunities waiting to be exploited.
Some of the key elements in the GDPR are that
- data controllers shall use easy-to-understand language towards data subjects (transparency),
- data controllers shall make it possible for the data subjects to have their data deleted (the right to be forgotten),
- the data shall be portable meaning that it can be transferred by ordinary electronic means (portability),
- the collection and processing of data shall take place with a minimum of means taking into account all circumstances (privacy by design),
- data controllers shall appoint a data protection officer (DPO),
- data controllers shall be able to document that they are compliant (accountability), and
- fines are increased severely and can be expected at a level of up to 4 % of global revenues.
There are exemptions for Small and Medium Sized Enterprises (up to 250 employees), and the rules will in the next two years be subject to various interpretation and guidance. However, it is generally clear that all data processing shall be fair and transparent, and that the measures taken towards protection of the data shall fit the nature and use of the data. The burden of proof lies with the data controller (the company deciding for which purpose data is collected and used).
On this basis, we believe that the companies which are able to adapt to principles as ”privacy by design”, the companies which are able to weigh their own interest with individuals’ rights, and the companies which are able to efficiently manage customer data requests and complaints, will be able to compete based on privacy. If companies are not able to do that, they will fall behind in competition.
Starting with a data flow analysis of their own business, companies may begin getting ready for the new rules now. This will minimize the risk of fines in two years, but more importantly, it will be possible to get a head start of competitors. A data flow analysis could for example consist of the following:
- What kind of data is collected? (Employees’ data, customer data, health information, etc.)
- On what grounds has the data been collected? (Consent from the data subject, agreement with 3rd party, legal requirements)
- What is the data used for? (HR management, answering requests from customers, profiling, marketing, research and development)
- Where is it stored? (local server in Denmark, cloud service in the US, headquarters in Germany, subsidiary in China)
- Who has access? (All in your business, HR management, cloud-service provider, subsidiaries, etc.)
- For how long is it stored? (When will it be deleted and who can do it?)
From this exercise, companies may actually get to know their business a lot better. For example, companies may find that they have data, which they did not think they had, and which may be used to explore new business opportunities or interconnections with the present business activities, making it possible to boost sales or marketing efforts.
All companies with more than 250 employees or for which data processing is at the heart of their business are therefore advised to prepare themselves without waiting for the GDPR to enter into force in summer 2018. There may be plenty of opportunities to be grasped along the way.
Read the EU Data Protection White Paper here