By Kevin Kelly is the VP and GM, Global Compliance Solutions, Skillsoft
More than 15 years ago, the expression “data is the new oil” was popularized and it seemed to signal the start of a corporate race defined by facts, figures, demographics, and psychographics.
In the period since businesses and business categories have been predicated on the collection and use of personal data.
Needless to say, data privacy is a complex issue for most organizations, and it has been made even more complicated by legislation such as GDPR. Four years later, GDPR compliance is something that many organizations continue to struggle with for a variety of reasons. In fact, just looking at the GDPR enforcement tracker, we continue to see related fines and penalties – ranging from a few thousand to hundreds of millions of dollars – being issued on a weekly basis.
So, where do we stand now that a few years have passed since GDPR went into effect? Let’s explore.
Data As a Fundamental Right
In speaking with business leaders whose responsibilities include data privacy and complying with GDPR, I have learned that companies are finding ways to apply the law in a practical way.
In the global marketplace, not all data is treated equally. In Europe, data privacy has become a fundamental right for the individual. While the collection of personal data from digital trackers in the Eurozone is automatically opted out, in the U.S. it automatically opts in.
Needless to say, in the U.S., when it comes to the process of data collection, there seems to be a disconnect about how this intersects with data ethics. However, high-profile issues related to this and specifically about GDPR compliance have many with governing responsibility revisiting their understanding of the overall issue.
Regardless of where you come from or the geographic footprint for which you are responsible, GDPR compliance can be a costly and confusing commitment. Let’s review the basics.
What Is GDPR?
GDPR is a set of rules created to secure the personal information of EU citizens. GDPR is applicable to organizations with more than 250 employees that handle personal data in the process of trading goods and services within the EU.
One of its goals is to bring data protection protocols up to speed with new and unprecedented ways in which information is now used. GDPR also looks to empower individuals (or “data subjects”) by giving them the right to challenge how, what, when, and why data is held about them. Data subjects have the right to access any information a company holds on them, and the right to know why and how that data is being processed, how long it’s stored, and who gets to see it.
The enforcement deadline for full GDPR compliance was May 25, 2018. Since then, GDPR has prompted significant improvements in the governance, monitoring, awareness, and strategic decision-making regarding the use of consumer data. Not only that, but GDPR legislation has pushed the topic of data privacy to the forefront.
Why Do We Need GDPR?
GDPR obliges organizations around the world to take data protection more seriously than ever before, primarily because their reputation now relies on it – and because the penalties are crippling. One of the ideas behind GDPR was to assure consumers that their data would not fall into the wrong hands. Consumer data and privacy is now considered a top priority by leading companies.
The simple truth is that data privacy legislation provides organizations with a genuine opportunity to reconsider their data strategy and governance.
GDPR has brought some cost savings and improved efficiencies by forcing companies to address archives of data and ask whether the information collected is necessary or fit for purpose. Data maintenance has therefore become a more active process that is managed regularly.
GDPR has also encouraged organizations to assess the efficacy of their networks. Many have had to migrate over to improved infrastructure – enabling them to better align with the latest and emerging generations of technology as old hardware is replaced with more capable (and secure) devices. While initially expensive, this has been offset through an improved user- experience for employees that promotes greater levels of engagement and productivity.
At an even higher level, GDPR has empowered the public by improving trust in the emerging digital economy. By streamlining data protection across the EU (and effectively the world), goods and services now flow more freely. Confidence between organizations and the public has increased.
What Are GDPR Compliance Requirements In The U.S.?
Even if an organization is not physically located within the EU, it must still comply with GDPR if they handle personal data that is identifiable to a resident that is located within the EU. GDPR reaches into companies based in the U.S. because it is designed to protect the personal data of individuals.
The vast majority of companies whose business relies on consumers’ personal data conduct themselves in a respectable and responsible manner. For these organizations, simple changes to data privacy regulations should not change the forecast for success.
Multinationals may choose to separate their U.S. and European business operations to take a more focused approach to GDPR compliance. In fact, the data privacy laws enacted by the state of California (California Consumer Privacy Act, CCPA from 2018) should have prepared any compliance officer to the issue of data privacy and put in motion structural changes within their business to adhere to this legislation.
GDPR Best Practices
GDPR has seven fundamental principles to ensure an individual’s rights and security of sensitive personal information is used for illegitimate purposes. Organizations must think about each of these principles regularly to ensure compliance:
- Accountability: Are you doing everything you can to comply with GDPR principles?
- Accuracy: Is the data you’ve collected on individuals both accurate and up to date?
- Data Minimization: Have you only collected data that is necessary to perform the task the information is intended for?
- Integrity and Confidentiality: How do you always assure the security and privacy of personal information?
- Lawfulness, Fairness, and Transparency: Is all the personal information in your possession processed lawfully?
- Purpose Limitation: Does all the personal information you’ve collected have a lawful and legitimate purpose?
- Storage Limitation: How long do you hold on to personal information?
The sheer volume of data for regulators to monitor is overwhelming, so it would be reasonable to expect them to concentrate their efforts on only a small number of organizations that have raised a red flag in some way. Most organizations are not really evaluated or scrutinized; they are simply continuing to build their own paths toward compliance.
What GDPR Help Is Available?
Fortunately for companies that want to train employees to comply with regulations such as the GDPR, there is no shortage of tools and resources. Compliance training courses help employees understand their responsibilities in mitigating the risks surrounding GDPR to help organizations acknowledge and adhere to best practices.
Microsoft recently noted that there are more than 200 updates issued by 750 regulatory bodies around the world every day. With that, identifying a compliance training partner that rigorously updates content via a team of experts to assure training is up-to-date and accurate is essential to executing and maintaining a successful program.
About the Author
Kevin Kelly is the VP and GM, Global Compliance Solutions, Skillsoft. He leads Skillsoft’s Global Compliance Go-To-Market initiatives, including Legal Compliance, HR Compliance, Corporate Ethics, Cybersecurity and Data Privacy, and Workplace Safety. Kevin has more than 20 years of experience delivering business transformation in the compliance, legal, digital, and SaaS markets.