With the General Data Protection Regulation (GDPR) coming into force, it is time to reflect on such a huge overhaul of the data protection laws affecting every organization operating within the UK and the EU, from schools to large multinationals.
To put things into perspective, in the UK alone, GDPR impacts over 500,000 data controllers registered with the ICO (Information Commissioner’s Office), the UK’s independent body set up to uphold information rights. In the last month alone, GDPR has generated over 11,000 news articles with people searching for information on the new regulation from over 130 different countries.
If you have not already caught up with this wave of information, there are plenty of resources from the ICO that would give you head start, including Guide to GDPR (ICO) and GDPR Myths (ICO).
In the last few weeks, organizations wary of GDPR have reached out to their subscribers, clients and staff to either educate them or seek consent on the new data privacy laws ahead of 25th May, GDPR’s implementation date. However, the real benefit from now on is giving rights and data freedom back to individuals rather than organizations. As the industry moves from the definition and clarity phase into the phase of real impact, the new privacy laws enable an interesting digital journey for both consumers and organizations battling to uphold the spirit of the new regulation. Elizabeth Denham, an Information Commissioner at the ICO, highlighted: “In fact, it’s important that we all understand there is no deadline. 25 May is not the end. It is the beginning. This is a long-haul journey. But it’s not a holiday. There’s a lot of work to be done along the way.”
Whilst preparation for GDPR has pushed many organizations to consult third-parties with regard to the legal basis on which they hold data, the real devil lies in the basics. In the age of rapid growth and dependency with the data, has the organization built sufficient technology tools to enable the “privacy by design?”; can it predict and align privacy changes with the future business goals?; can it support selective privacy policies where users have the granular rights rather than generic consent?; can it encourage its staff to talk about rights to data?; and can it freely talk about its policies, processes and data breaches with the public?
Furthermore, active consumer engagement with data privacy will better educate them about their rights and positions in relation to organizations, who will in turn appear more trustworthy and data-inclusive. Advanced technology such as Artificial Intelligence can enable organizations to perform active policy reviews from narrow to general views. However, technology decisions and advanced skills must align with the fundamentals of GDPR at all times.
While the rest of the world is catching up with GDPR, a unified and more inclusive technological approach can provide the harmony in the continuous battle for digital freedom.
Got few more minutes to spare and want to delve into GDPR? Here are a few useful resources:
Data Protection Impact Assessment
Data Protection Self Assessment
Kumar Raju Kosuru is a RegTech expert with over 10 years of experience working in Financial Regulation and building technology solutions at Goldman Sachs and UBS.