It used to seem a long way off, but soon it will become reality. As of May 2018, if your organization processes the data of any EU residents you will be on the hook to comply with the General Data Protection Regulation. As you may be aware, the GDPR is the first update to the European privacy and protection laws in 23 years. While much has been written about the fines that can be levied on organizations deemed non-compliant, I believe there’s another element of the new regulation that many organizations overlook when they assess their GDPR risk.
In a word, that missing element is “reputation.”
Yes, the fines are enough to give pause – they need to be taken seriously. But it’s the potential loss of reputation that should be the top concern for everyone, regardless of industry.
Make no mistake, the GDPR authorities take this new regulation very seriously, to the point of considering data protection and privacy a “human right.” What this means is that if your organization fails to meet the requirements of the GDPR, it will become a very public affair. Not only will your existing customers hear about the violation, but those that might have considered doing business with you in the future will know as well.
Consider these figures from a Columbia University study:
- 86% of consumers want to exercise greater control over the data companies hold about them.
- 85% want to know more information about the data companies collect.
- Over 75% of people are more willing to share various types of personal data with a brand they trust.
The value of trust
Trust. It’s the brand currency of the digital economy. Without trust, your customers are just one click away from switching to a competitor. A GDPR violation has the potential to reverse years of brand and customer trust that you’ve earned. And in the long run, that makes a fine seem minor.
If you consider the main elements of the GDPR, you’ll see that they raise two overarching questions:
- Can EU residents trust you with their data?
- Do you have an appropriate data management program in place to enable that trust?
Key GDPR components and where data management fits
Let’s take a look at some of the core components of the GDPR as they’re described in the regulation. For each component, we’ll pose a related data management issue that your organization needs to be able to address.
Personal data
- Personal data shall be accurate and, where necessary, kept up to date.
- Does your organization have proper data quality measures in place?
- Personal data shall be processed in a manner that ensures appropriate security of the personal data.
- Are only authorized employees at your company allowed to access certain data?
Conditions for consent
- Demonstrate that the data subject has consented to processing of his or her personal data.
- Do you have proper data tagging and cataloging in place?
- The data subject shall have the right to withdraw his or her consent at any time.
- Do you have and integrated view of your customer’s data to ensure all their records meet the consent withdraw?
Right of access by the data subject
- The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed.
- Do you have the data management in place to confirm which data is being processed, and which is simply just stored?
- Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards.
- Do you have to proper data tagging processes in place to show your customers which data was transferred?
Right to erasure ("right to be forgotten")
- The right to obtain from the controller the erasure of personal data concerning him or her without undue delay.
- Do you have an integrated view of your customer’s data to ensure all their data is erased?
Right to data portability
- The right to transmit their data to another controller without hindrance.
- Do you have all your customer’s data in one place to make this transmission seamless?
The SAS approach
Addressing the GDPR requires a daunting amount of work for organizations, and no two companies will face the exact same issues. At SAS, we’ve developed a five-step approach that matches the data management requirements of the GDPR. Not only does the SAS approach help you work toward compliance – it also ensures that the trust you’ve built with your customers will remain steadfast, long past the deadline of May 2018.
The 5-step approach of SAS for Personal Data Protection enables you to:
- Assess, access and blend data from many different file types, relational data sources like Oracle and emerging big data technologies.
- Use data filters, sampling techniques and sophisticated algorithms to identify and extract personal data from structured and unstructured data sources, no matter where PII resides.
- Enforce governance policies, monitor data quality and manage business terms across the organization – and assign owners to terms, and link them to policies or technical assets like reports or data sources.
- Use role-based data masking and encryption techniques to secure sensitive information, and dynamically blend data without moving it to help minimize exposure of sensitive data.
- Proactively avoid penalties and breaches by giving key authorities interactive reports to identify the users, files, data sources and types of PII detected.
An example
Listen to the video below to hear how the largest insurer in Greece – INTERAMERICAN – is using the GDPR as a catalyst for meeting broader business goals. This insurer knows that the GDPR is about much more than just avoiding fines – it’s about ensuring that its trusted brand name remains the company’s greatest asset for many years to come.
Download a paper to learn more about how the SAS approach to GDPR can help protect your valuable corporate reputation.
Download the paper now