[BreachExchange] Are there any positives from the first year of GDPR?

[Audrey McNeil]

https://www.computerweekly.com/opinion/Are-there-any-positives-from-the-first-year-of-GDPR

The first anniversary of the General Data Protection Regulation (GDPR)
arrives on 25 May 2019. Discussions about GDPR generally receive about as a
positive a reception as Brexit, but are there any positives that companies
can take after a year of living with the new rules?

No one would suggest that preparing for GDPR was an easy or popular
process. It wasn’t, and even consumers and regulators found it rather
trying. However, as it is something that couldn’t and can’t be ignored, why
not at least try to get as much out of it as possible and embrace the
opportunities it can present? Here are some of the key opportunities for
companies to embrace now as GDPR beds in:

Cost savings

Data protection legislation has always held as a core principle the fact
that personal data should not be held for longer than is necessary for the
purpose for which it was collected. GDPR didn’t change this, but given its
new obligations around accountability, and of course the higher penalties
for breaches, this caused mounting panic about the deletion of datasets in
the run-up to the 25 May 2018 deadline.

Although it is a common-sense principle, deciding on appropriate data
retention periods and then enacting them across multiple systems – many
licensed rather than owned, and so with different levels of control – is
not a straightforward exercise. Many companies became tied up in knots in
this area or engaged consultants charging huge sums to introduce
complicated programmes.

But the simple fact is that holding less data is, ultimately, not only
better from a compliance perspective, but can also be cheaper. Many a
company found the act of deleting old, unused datasets surprisingly
liberating and positive once they started – not quite Marie Kondo levels of
joy, perhaps, but the storage cost savings certainly helped.

Data strategy

The other opportunity that a GDPR data spring clean presented was the
chance to better understand – perhaps for the first time, in many cases –
what datasets actually exist within a company. Knowledge of the data you
hold already is so important for informing data strategy, which, in turn,
is so central to growth and innovation in most businesses today.

All too often, because data has sat in isolated silos with different
gatekeepers, companies don’t have the visibility to make decisions around
data partnerships or growth, and sometimes even license externally to
obtain data or insights at a cost, when in fact the information already
exists right under their nose.

Brand

GDPR has certainly brought consumer trust issues around data to the fore,
hitting newsfeeds on an almost daily basis. The largest tech companies
can’t escape it and have been reacting by ensuring that privacy heads the
agenda in CEO speeches and conferences.

However, too few other companies have recognised the opportunity that GDPR
represents to engage with users about how their data is used and to do so
in a way that is compelling and different.

It is a legal obligation to set out how personal data is used in a privacy
policy or other form of notice and to respond to data subject rights
queries – but no individual is impressed to read the standard “we take the
security and protection of your personal data very seriously” type
messaging. It is surprising how few companies with fabulous marketing and
design teams don’t utilise them in relation to communicating and shaping
data compliance programmes.

Some companies rose to the challenge and offer good examples. EasyJet has
an excellent, simple privacy video, which opens with a member of the cabin
crew preparing the plane and audience for the privacy promise that follows.
It explains far better than just a privacy policy can how the company uses
personal data.

Not only is this a better communication tool for complex information, but
it has also been a successful brand promotion – the video on YouTube has
received more than 62,000 views, and social media responses have been
positive. Other companies using a video to great effect are LinkedIn and
Channel 4.

The Information Commissioner’s Office (the UK regulator for GDPR)
encourages such techniques and has embraced them by using a series of
infographics on different topics as an additional way to the standard
privacy notice of explaining how it uses personal data.

Similarly, rather than seeing data subject access and other requests as
simply a pain, companies should consider this as a proactive engagement by
an individual with the brand that should be responded to as positively as
you would to someone engaging with you through a social media channel. Many
companies would kill for more direct consumer interactions, so make every
one count.

New forms of engagement

It was sad to see so much confusion in the run-up to GDPR around consent
for direct marketing. This resulted in many companies deleting parts of
their marketing databases on the back of disastrous re-consent campaigns to
a fatigued population, even where there may have been other solutions for
compliance.

Trying to see any positives at all in this may seem challenging. However,
some companies were forced to be more creative and imaginative in customer
engagement channels. They reflect, with hindsight, that relying on a
volume-based e-newsletter reach was perhaps false comfort, and other more
nuanced and tailored experiences are far better at getting results.

So 25 May should not just be a date for a sigh of relief at surviving a
year without one of those scary fines everyone warned you about – but well
done, all the same. It should also be a date for reflecting on the
positives you got out of GDPR in the past year. If you can’t think of any,
then another look and a rethink may still reap some rewards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20190517/ba275295/attachment.html>