Andrew Rogoyski

GDPR – a framework to improve business

UK industry faces some significant challenges in the coming months and years. Apart from the obvious business environment challenges caused by Brexit, with the consequential loss of confidence and the weak pound, there are some very significant underlying challenges that are constraining growth. In areas as diverse as manufacturing, oil and gas and construction, there are some common themes – productivity, skills and investment.

The acknowledged answer to many of these challenges is technology. Key developments in automation, robotics and data analysis are dramatically changing organisations’ abilities to reduce production costs, to customise products to meet individual customer demands and to create agile businesses capable of adapting to changes in demand and supply in today’s digital timescales.

At the core of these challenges and future successful businesses is data. Data that describes your customers’ behaviours and needs, data that describes your production processes and data that measures the productivity of your supply chain. Such data is deeply sensitive – it is your competitive advantage. It is also very sensitive to your customers who will become deeply concerned if information they regard as privileged or personal becomes public knowledge or is used by criminals to perpetrate fraud or similar, in their name.

Protecting such data is the purpose of the new European law, the General Data Protection Regulation (GDPR). This new law, which comes into full force on May 25th 2018, harmonises data protection across Europe, including the UK, introducing strong requirements and guidance on how personal data should be protected and penalties if you mishandle such data – fines of up to 4% of a company’s global revenue are allowed under GDPR.

For companies that store or process personal information, there is limited time to make sure that the right steps have been taken to protect this data. In broad terms, companies need to understand what data they hold, how and where it is stored and processed, whether you have the customer’s permission to do so and whether it is accurate.

There are subtler requirements to add to that; companies will need to support users’ requests for their data to be deleted and their rights of data portability (so a customer can take their data from one company to another). Companies will have to demonstrate, with evidence, that they took appropriate measures to protect such data.

How should you approach GDPR? Think of it not as a compliance regime but as a risk framework. Compliance thinking encourages people to opt for the lowest common denominator, to only try to achieve the minimum that will satisfy the compliance regime. By taking the wider approach recommended in GDPR, you’ll balance the threat posed by the attacker, the business environment you operate in, the risk that you’re prepared to take as an organisation, against the measures and investments you’re prepared to make to protect yourself.

Is your organisation treating GDPR as a way to improve your processes and customer interaction? Leave a comment and let us know.

Blog moderation guidelines and term of use