The purpose of this piece is to give some insight into the risks and likely rewards GDPR holds in store, based on our recruitment experience in data protection. It is not a definitive guide. This is part three of three in an oversight series on GDPR and data protection recruitment.
If you’re currently approaching the junction where GDPR and your organisation meet, you’ll have some idea that the risks and penalties for non-compliance are very real. The good news is that there’s still time to change gears before May 2018.
Let’s look at some of the wider risks presenting themselves, then look at the positives and likely future outcomes in terms of wider adoption.
One key point to remember is that the Data Privacy Working party 29 group in the EU, tasked with defining the many loose terms surrounding GDPR, is still operating. While the spirit of the law won’t change, more clarity will come in time. This will filter through member state data protection regulators and data privacy experts.
For now, the key thing to remember is that ‘doing nothing is not an option’ (Helen Dixon, of the Irish data protection regulator)
Data protection & GDPR – the risks
While the 20 million euro fine possibility is big, scary, and legally a reality, the likelihood is that these large fines will be rare for the first few years of new data privacy regime.
However, global financial services firms & telecoms in particular have been among the early movers in 2016, putting plans in place for GDPR precisely because of the financial repercussions.
Fines, and potential loss of business customers (who by linkage require their service suppliers to be GDPR compliant), have been the main motivating forces.
Despite the above – provided organisations are transparent in their reasons for using customer personal data, and are making demonstrable efforts to apply GDPR principles to their organisation, regulators will recognise the reality that full implementation may extend beyond May 2018.
Frankly, the main risk is simply not taking action now. There are other less obvious risks.
Ongoing & future drain on resources
Remaining inactive will result in ongoing current projects requiring eventual revision; with associated consultancy fees/contractors/and delays before going to market.
For example – app developers, or companies creating customer IT interfaces with suppliers. Or a new chain of doctors’ offices or pharmacies creating online prescription solutions; Privacy by design is a cornerstone of this legislation. And like any law, ignorance will be no defence.
The customer personal data your organisation holds now has a ransom value
Often overlooked, GDPR has now put a price on personal data for hackers and ransomware teams.
If your customer data is lost, situations where the kidnapper’s ransom makes more sense than the reputational damage and the potential fine are a sad reality.
So while Data protection is not about ‘IT security’ in spirit; it is in the real world.
Aquisition failure & loss of large/institutional customers
Acquisitions have failed recently in the market where ownership of customer data, or origin of said data, could not be proven compliant with existing legislation.
GDPR requires that suppliers are GDPR compliant, which was a smart move by the legislators in terms of organisations spreading the word.
If the organisation is not compliant, there is a real risk in years to come that tenders and customers will be lost based on data-privacy reputation and compliance.
Examples are Wikileaks, and other high profile personal data breaches in public bodies. The consumer at large is very aware of their personal data footprint online. People care more, and will express their feelings with their spend.
The positive side of GDPR, and speculating on the future.
It’s easy to miss the positives among the GDPR noise, but they do exist. Data privacy legislation is a worthwhile pursuit, and an important movement for society at large.
Personal data in the wrong hands has had extremely negative outcomes for people in our not too distant past (for an brilliant demonstration of the point see “the lives of others“, it should be on netflix).
Public bodies and private companies have a duty to society beyond the departments they administer, or the products and services they sell.
Data privacy as a value proposal
GDPR compliance will allow differentiation from competitors and will add value to products and services. Investing will reap rewards with consumers and relative to competitors who don’t invest.
The next two years of achieving compliance will be internal fact finding missions about how your organisation does business.
Processes will be streamlined, and liabilities under current legislation will be exposed and dealt with before they become a problem.
In many of the recent conversations with senior client representatives and sector experts, there have been commonalities in terms of where Data privacy is headed.
Organisations who will miss full compliance by May 25th 2018 deadline
- The regulator expects this – the key is displaying adequate steps have been taken to achieve compliance.
How long it will take for real fines to start
- Large multinationals have the legal clout to draw out court proceedings, whereas a chain of pharmacies or fast food restaurants may not. At some point regulators will have to start laying down the law, and the easier targets will be used to set an example.
GDPR reform will happen in
- To a certain extent this is one large experiment, and public bodies and corporations are the subjects. Lessons will be learned by regulators, and it’s likely there will be slight revisions concerning practical application of the law in three to four years.
If there is anything you would like to add to the above please get in contact with us.
Finsearch professional recruitment provide data protection recruitment solutions on all aspects of GDPR recruitment & compliance, from sourcing Data Protection professionals, legal talent, Business Analysts and Project Manager contractors – permanent and contract.
Contact us here or call us in Dublin on
00 353 1 556 344;
email on firstname.lastname@example.org.
Access our network of talented data protection professionals, and discuss how we can help your organisation today.
Contact us today.
Please share this article with your network