GDPR deadline is fast approaching – with opportunities and obligations

The ownership and sharing of personal information is making the headlines not least because of the looming May 25th deadline for the General Data Protection Regulation (GDPR). "Don't see GDPR as a one-off event or simply a hurdle to clear – it is best regarded as a compliance journey with GDPR part of the route, not a destination," advises KPMG managing partner Shaun Murphy. He believes it is essential to "have a clear strategy that deals with both the opportunity and risk that data provides".

Murphy leads an organisation of almost 3,000 people across Ireland, working with clients in all sectors of the economy. "Each of these entities, regardless of size, has an opportunity to unlock real value in their data," he says, but to do so requires seeing the full picture.

He notes that 10 years ago, energy giants dominated the list of the world’s most valuable companies, but now that list is led by tech companies with access to vast amounts of information and data. Indeed, data has been described as the “new oil”.

Murphy points to the United States, where "data scientist" is one of the fast-growing job titles categorised on LinkedIn. "Data is both an asset and a liability," he says. "Viewing data as an asset opens the door to opportunities to create value. From deeper insights into consumer and customer behaviour and purchase patterns to fraud detection – data can deliver powerful, actionable insights for business."

On the liability side, the way personal information is collected, stored, used, disclosed, shared and disposed of is a leadership issue that is also potentially problematic.

Businesses could face fines of up to €20 million or 4 per cent of annual global turnover for GDPR non-compliance – whichever is the larger. Ireland's Data Protection Commissioner Helen Dixon has said that such sanctions are necessary "to grab the attention of industry".

Privacy

It’s in this context that Murphy articulates some basic principles all organisations should consider, not just prior to May 25th, but for the foreseeable future. The first is privacy.

“Customers and consumers want to trust those they do business with,” he says. “One of the easiest ways of damaging or destroying this trust is to abuse personal information. People are entitled to know what is being done with their personal information, and they expect you to be able to tell them. This means understanding and leading on issues including your organisation’s privacy obligations, risks, and if your compliance strategy is fit for purpose.”

This boils down to some very basic questions for business leaders, according to Murphy. “Do I have a clear view of what personal information is being processed where, by who and for what purpose, and importantly, how was such data acquired?”

Brexit

And what of Brexit? “Any company with cross-border or cross-channel operations dealing with data from EU subjects needs to comply with the GDPR,” he points out. “The nature of business means that many organisations are likely to handle such data in some form, even if this means just one customer or employee.”

The GDPR impacts on the collection, use, transfer and disclosure of data on a global scale for organisations outside of the EU and this is likely to have considerable impact post-Brexit.

The board needs to take responsibility for understanding the risk, impact and crisis management response to a data breach

“With many Irish-based businesses involved in subsidiaries, outsourced providers and activity such as M&A, the onus is on the chief executive and the board to ensure that every part of the value chain applies the same high standards of privacy,” says Murphy.

It’s not just about customers. “Employees in the EU also fall under the GDPR so financial, health and other sensitive, personal information needs to be handled in a way that meets the new standards.”

The issue of trust extends to keeping data safe, he adds. “The best approach is to consider not if such events will take place but when. The board needs to take responsibility for understanding the risk, impact and crisis management response to a data breach or cyberattack.”

Nor is it just an internal challenge. Murphy cites monitoring of both internal and third-party supplier compliance in respect of privacy and security as additional issues to consider.

“May 25th will come and go but the obligations and opportunities will remain,” Murphy concludes. “Leadership on data should be part of a proactive risk management approach that is customer-centric with transparency, security and accountability second nature to everyone in the organisation.”