The general data protection regulations (GDPR) - which become law from May 2018 - mean that new ways must be found to collect and store data for clients. There are significant challenges to face in terms of mitigating risks to companies, and in terms of best practices for data management.
Bruce Smith, chairman of the NorthPointe Management Group, said: "GDPR is all about the individual’s privacy. It is designed for the individual to have better control over their own information. It takes it out of the hands of corporations and places it more with the individuals.
"It also tries to create a unified set of rules across borders, so that multinational companies are following a consistent set of regulations. Those are some of the core principals, and it does affect people in the EU no matter where they are based."
Smith is keen to stress that while the legislation kicks in from May, companies should start working on it straight away, because it will take time to implement.
"It takes effect in May, be sure that you start working on it right away, don’t wait until the last minute because it will take you some time to get ready," he added.
"Businesses will need to capture what they are doing, and what data they are collecting, in order to map it out; what’s the best procedure, how long they need to keep that data and so forth."
Smith cited a recent presentation by Barrister Dean Armstrong, Queen’s Counsel, of Elias Partnership on the five myths of GDPR.
5 myths about GDPR
- There is a definitive answer for GDPR
"There isn’t," explains Smith. "It is a principle-based set of regulations. They set out the principles, but they are subject to interpretation. There are going to be challenges to this, there will be lawyers who will try to sue on their clients’ behalf. Not only on a corporate basis but also on an individual basis. Make sure that you have your policies down."
- GDPR will only affect compliance departments
"Many businesses don’t have a compliance department, but it’s going to affect the entire company. At the core of this is the sanctity of someone’s data. You will have to get explicit consent from people to capture their data and retain it, and you can only retain it as long as it is necessary. It’s very different to what we have done in the past. Make sure you are good custodians."
- GDPR is all about the data hacking
"It’s not. It’s a holistic approach to data management. This is where the best practices come in. Ask if you are collecting the right kind of data. Are you collecting more than you need to? Does everybody really have to have every piece of information, or are there ways in which you can separate out that information? Excel spreadsheets are no longer going to be acceptable. We are going to have find different ways to be able to do that."
- GDPR can be dealt with easily by buying technology
"There is a myth that there will be a lot of technology solutions out there that you can buy. There will be a lot of companies telling us that all of their systems are GDPR compliant. Well, nobody is technically GDPR compliant right now because it hasn’t actually rolled out yet to be tested. They may be GDPR ready, but until they have been tested in a court case or by a regularity agency, they are just ready at this point. Make sure you talk to your vendors and find out how ready they are. Those are important things to know."
- GDPR fines are just a cost of doing business
"A lot of people in this industry think that because they are small or medium-sized businesses, that they will fall under the radar. But the answer is that you won’t. They will be looking for it and all it takes is one person to report you and then you will have to answer to the regulatory agency in your country. Please take it seriously. In addition to the fees that you will have to pay, keep in mind that the loss of your reputation will be more damaging than maybe the cost of the fine."
Bruce Smith was talking at IBTM in Barcelona.
If you’re interested in GDPR, don't miss C&IT’s special GDPR roadmap series of events that is kicking off in March.