To:
From:
Subject:
Please enter the text in the same order as shown in the Image below
Take Courses
Get Certified
Attend Events
Explore Resources
About

GDPR From a BC Perspective

May 25, 2018 Leave a comment DRI Admin

Lyndon Bird, Chair of DRI’s Future Vision Committee

Today sees the launch of the European Union (EU) flagship legislation – the General Data Protection Regulation (GDPR). The consequences of GDPR and data privacy in general are discussed in the DRI Trends and Predictions Reports for 2018. Copies can be downloaded here.

Why is GDPR different?

GDPR is likely to cause some trepidation in many boardrooms not only inside the EU but also well beyond its borders. In fact, any firm that holds any data on any EU citizen is likely to be covered by this regulation. This extension of the territorial scope is just one of several factors that make GDPR a very ambitious regulation. Here are some others:

  • GDPR is a regulation (which is mandatory) as opposed to a directive (which is open to interpretation).
  • GDPR applies to the data of all EU citizens, so unless your firm can guarantee it has no EU employees, contractors, suppliers or customers, it could be in breach of the law.
  • The size of the penalties can be up to 4 percent of global turnover or 20 million euros – whichever is larger.
  • Consent needs to be explicit and easily able to be withdrawn. A traditional approach to privacy issues (obtaining implied consent – hiding it in small print and legal jargon) won’t work with GDPR.
  • Many organizations must appoint a Data Protection Officer who has legal authority to carry out the role without undue influence from the management of business. This is not yet mandated for all firms but in practical terms most major organizations are likely to go down this path. Who qualifies for the role and what credentials they will need is an interesting question for future comment.

Compliance Concerns

While a different breed of regulation, GDPR shouldn’t have taken anyone by surprise. This regulation was developed over several years and has replaced earlier data protection directives. Since publication, firms have had two years to prepare for it.

Did they? Not quite. Prevailing opinion suggests that some 50 percent of EU-based firms are not yet fully-compliant. Outside of the EU, it is likely that most organizations are still at the beginning of their journey towards implementation. Given the complex nature of GDPR, even those who have been implementing the necessary compliance measures for a long while still might fall short.

Beyond normal compliance concerns, there is a significant political dimension at play here. The global growth and influence of companies such as Facebook and Google has been extremely challenging to governments. Their popularity among the general public is high but a critical weakness they share is their questionable ability to protect our private data – which, under GDPR, becomes less of a security concern and more an individual privacy issue. It is no coincidence that Facebook recently faced harsh challenges from both the U.S. and UK governments over how they shared client data for political analysis and voter targeting.

Final Thoughts

In short, GDPR has made a fundamental challenge to corporates. It has redefined the ownership of personal data given to companies for specific purposes, such as purchasing a product or service. It changes the rights of the organization to trade that data or use it without permission. And it’s not a regulation that can be ignored.

To learn more about Lyndon Bird and the Future Vision Committee, click here.