The General Data Protection Regulation (GDPR) requires businesses to transform the way they manage data, with fines of up to four percent of company turnover for compliance breaches.
Most companies are aware of the GDPR, which replaces the Data Protection Directive in place since 1995. But many see compliance as a time consuming, box-ticking exercise.
This is the wrong way of looking at the regulation, experts say. There are, in fact, many hidden benefits of GDPR compliance, including the potential to unlock previously untapped, valuable information and streamline data policies. For example, some experts say GDPR could aid businesses with cloud adoption, improve data management or even help facilitate a smoother M&A process.
Taking this into account, firms should change the way they see compliance, says Tim Grieveson, IT and change director at general insurer Legal & General, and formerly chief cyber and security strategist for enterprise security products at Micro Focus EMEA.
He says: “Yes, it’s about compliance, but it is also about two other things: operational efficiency and revenue generation capabilities.” He explains: “If you understand the data you have, you get better insight into customers.”
In other words, classifying data could be a money-maker, rather than a money pit, according to Joe Garber, Micro Focus' global vice president of marketing for information management and governance software.
"Once you get your data in order, and you gain insight into your information, you can mine it,” he points out, while noting that organisations will need to have legal basis and customer consent to do this. “This will reveal valuable, strategic information about what your customers really want."
Another benefit of GDPR is it gives firms the impetus to get a handle on vast amounts of unstructured data that has been building up for many years.
“It puts you in a position where you have no choice but to tackle unstructured data head on,” says Jamal Elmellas, CTO at Auriga Consulting. “If you want to be compliant, you have to understand where personal data sits and what the business does with it. Unstructured data is the enemy of those things, so it is one of the biggest challenges.”
Firms can also use the regulation as a driver for rationalising their application portfolios, which in some cases may have grown over the years due to mergers and acquisitions.
Indeed, when businesses are drowning in data and producing more information all the time, GDPR offers much needed visibility. “The data flow and mapping exercise …allows firms to know what information they hold,” Elmellas says.
Getting started on this task can appear overwhelming. But Elmellas recommends that companies assess the data they have and then implement a targeted operating model. Firstly, he says, businesses should embed and implement GDPR requirements such as ‘the right to be forgotten’.
At the same time, Elmellas says, firms can start to build efficiencies. “They can look for duplicates and examine how they can extract efficiencies while doing GDPR implementation. This will prove to be quite successful for those who haven’t examined their data for a long time.”
This approach can help businesses derive even more value from their data, with the streamlining of information enabling companies to extract more value out of the data. Elmellas points out: “You are essentially looking at your data goldmines.”
Standing out with GDPR
Compliance can also be a differentiator from a customer perspective: Getting it right can make a business stand out in a crowded market. “It’s really just being customer friendly; it’s being transparent about how you use data and trying to sell that value,” says Will Robertson, partner at law firm Osborne Clarke. “If businesses get this right, it’s a positive way to tell employees or customers that you really value them and take them seriously.”
Part of this includes crisis management, he says, citing the example of the recent TalkTalk cyber-attack in the UK, which was notoriously handled badly by the firm.
However, he points out, a data breach doesn’t have to be a disaster. As part of GDPR, companies should work out how to manage their communications when something goes wrong.
“In tomorrow’s world of GDPR there is a business differentiator in the fact that there’s a real difference in those who handle a breach well,” says Robertson. “You will maintain the confidence of customers and employees and may be less likely to get heavy treatment from the regulator.”
The regulation can also help a business differentiate itself through efficient technology. Firms can use GDPR to get their data in order by moving to compliant cloud services, Grieveson says: “It is also a better way of doing business – cheaper, faster and you can do it anywhere and then you can create new revenue streams.”
However, as firms move towards GDPR compliance, it is important to have a strategy. With this in mind, outside expertise will help many businesses. For example, Micro Focus provides a range of technology to support GDPR compliance.
Cyber-security is an essential element of GDPR. Firms such as Micro Focus can offer capabilities in this area as well as the ability to protect data throughout the lifecycle.
David Kemp, EMEA specialist business consultant, Micro Focus says: “We have engines that deal with defence of the outer core but also tools to prevent issues such as insider trading in the financial industry.”
The deadline is only one year away, so it is important that businesses start taking steps towards compliance now. Companies should first ensure that they have visibility of their data. Once this information is streamlined and reorganised, the benefits of revenue generation and operational efficiencies can be achieved.
Ultimately, the GDPR should be seen as a business differentiator, rather than an issue to be managed. But it is also important to note that no business is perfect. Robertson advises: “The practical angle is: most businesses will not be 100 percent perfect by next year. So look at GDPR in bite sized chunks and prioritise.”