“GDPR – Friend not Foe”

Even though the new Regulation introduces significant fines and sanctions, surveys show that the bigger risks are considered to be the damage to their reputation, brand and consumer trust.

Some of the newly required practices introduced include:
stricter conditions for obtaining valid ‘consent’ to collect and use personal data;
new and reinforced citizens rights, including the ‘right to be forgotten’ and the ‘right to data portability’;

• mandatory reporting of data breaches, within 72 hours;
• to apply ‘Privacy By Design’ principles and perform and document Data Protection Impact Assessments;
• the Accountability principle, requiring organisations to demonstrate their approach to GDPR compliance and provide evidence of the operation of their compliance activities; and
• a requirement to appoint a Data Protection Officer (‘DPO’) in certain circumstances

The last point is particularly challenging, given the lack of qualified and experienced privacy professionals in the market. The IAPP has certified over 16,000 privacy professionals globally, however estimates indicate that the GDPR will require in excess of 75,000! Interestingly, the legislation specifically allows the role of the DPO to be outsourced.

Whether or not you are caught by the mandatory DPO provision, appointing someone appropriately qualified to be responsible for GDPR compliance should be a priority for any organisation processing significant amounts of personal information.

Despite the challenges, leading organisations see the change in legislation as an opportunity to create competitive advantage. They believe that good data protection practices create trust, leading to further data sharing, deeper insight and an opportunity to deliver their customers more relevant products and services, more efficiently, which can only be good for business.