Article

Mandeep Sandhu
Mandeep Sandhu 16 February 2018

GDPR: Burden or benefit?

Recently, Carbon Black hosted a GDPR roundtable discussion for more than 20 CISOs, senior compliance and risk directors from enterprise organisations. The conversation ranged from readiness, to the New Data Protection Bill, to insights around various different Articles within GDPR and the tools companies need. Below are five key takeaways from the fascinating discussion.

Recently, we hosted a GDPR roundtable discussion for more than 20 CISOs, senior compliance and risk directors from enterprise organisations. The conversation ranged from readiness, to the New Data Protection Bill, to insights around various different Articles within GDPR and the tools companies need. Below are five key takeaways from the fascinating discussion.

  1. Key GDPR challenges

When asked what their biggest challenge is relating to GDPR, various participants talked about their concerns surrounding telemarketing, as they often don’t ask for permission when contacting clients. Other concerns included understanding data erasure as well as data mapping with legacy systems and hard copy files. They said handling historical records and legacy applications can be challenging. Participants said they were also unsure how to implement GDPR locally and follow this through with overseas parent companies. They also wondered how to ensure partner companies are adhering to the legislation. How to interpret and understand risk was another concern as the challenge of establishing the legal basis for processing personal data.

Many organisations don’t know why they have been amassing personal data for many years, creating ‘data lakes’ that are now a breach under Article 5. Organisations are concerned about erasing personal data because it is more complicated than they realised, they said, and many are uncertain how to ensure it is properly destroyed.

  1. Why do we need GDPR?

GDPR represents a major development in EU data protection law as data subjects' rights are strengthened across the board, with a natural toughening of obligations for personal data. We talked about how GDPR puts a framework around the world’s biggest, single, digital market, which has developed enormously since the original Data Protection Act 1998. As we have embraced digital, consumers have freedom around what products and services they use, but that freedom makes it hard for organisations to do business across one digital market.  Many changes have been enabled by advances in technology, hence it has taken four years for GDPR to be agreed by the European Commission, European Parliament, and Council of Ministers.

GDPR is focused on personal data processing and providing greater accountability, transparency, and control. Under Article 13, a data privacy notice is given directly to the data subject and under Article 14, the data controller must give the data subject a data privacy notice. The data privacy notice is the cornerstone of transparency and accountability in the GDPR and if an organisation is going to process someone’s data, they must pay particular attention to this.

  1. The GDPR transition journey

The group discussed how organisations tackle GDPR. A typical GDPR transition journey starts with an assessment of the existing organisational landscape. The assessment involves identifying compliance and very high-risk areas of processing personal data. Organisations should then define a future state and work toward designing the people, processes and technology components that will mitigate risk. Technology can be used to effectively reduce risk in processing personal data and enable organisations to manage and continuously improve risk mitigation and data protection by design and by default (Article 25, GDPR).

  1. GDPR in a box

Full compliance with Article 25, which is all about data protection by design and default will mean an organisation is almost 100% compliant. One participant talked about Article 25 being “GDPR in a box.”

GDPR is a principles-based regulation; it doesn’t spell out in detail what organisations need to do to reduce high risk to residual risk. If an organisation has a personal data breach, it has to provide a narrative that shows the ICO and regulator(s) it has taken measures to mitigate risk through appropriate technical and organisational measures.  This led the conversation onto the role of the Data Protection Officer (DPO) and how this role can help by making sure the organisation is on the right path. Also, if there is a personal data breach, the supervisory authority may point to the fact that the organisation didn’t have a DPO as an aggravating factor.

  1. Burden or benefit?

So, is GDPR a burden or are there benefits? Will organisations be able to do more with personal data by building a personal sense of trust with their customers?  Or are they putting GDPR in place to make sure they don’t get fined or sanctioned?  The consensus was that, right now, about the greatest concern is not getting fined, with one participant commenting: “GDPR is so vast and so woolly, there is a fear of tripping yourself up, so we are focused on having the basics in place so we don’t get fined. This is first base and we’ll think about the next level after that.”

We concluded the roundtable by asking who felt they were GDPR ready. One participant was confident their organisation was 90% ready. Another claimed to have only started its GDPR journey yesterday. When thinking about what they would implement immediately, participants talked about embedding GDPR into their entire product-management lifecycle, aligning technology to different Articles and removing “data lakes” by seriously looking at the retention of data and its deletion.

Please login or register to add a comment.

Contribute Now!

Loving our articles? Do you have an insightful post that you want to shout about? Well, you've come to the right place! We are always looking for fresh Doughnuts to be a part of our community.

Popular Articles

See all
7 reasons why social media marketing is important for your business

7 reasons why social media marketing is important for your business

Social media is quickly becoming one of the most important aspects of digital marketing, which provides incredible benefits that help reach millions of customers worldwide. And if you are not applying this profitable...

Sharron Nelson
Sharron Nelson 6 February 2018
Read more
Digital Marketing Vs. Traditional Marketing: Which One Is Better?

Digital Marketing Vs. Traditional Marketing: Which One Is Better?

What's the difference between digital marketing and traditional marketing, and why does it matter? The answers may surprise you.

Julie Cave
Julie Cave 14 July 2016
Read more
Top 10 B2B Platforms to Help your Business Grow Worldwide

Top 10 B2B Platforms to Help your Business Grow Worldwide

Although the trend of a Business to Business portal is not new but the evolution of technology has indeed changed the way they function. Additional digital trading features and branding has taken the place of...

Salman Sharif
Salman Sharif 7 July 2017
Read more
What Marketing Content Do Different Age Groups like to Consume?

What Marketing Content Do Different Age Groups like to Consume?

Today marketers have a wide choice of different content types to create; from video to blogs, from memes to whitepapers. But which types of content are most suitable for different age groups?

Lisa Curry
Lisa Curry 21 October 2016
Read more
Collection Of The Best Email Testing Tools Online

Collection Of The Best Email Testing Tools Online

Don’t be afraid of email testing. There are many free or freemium tools online that can help you with testing your SPAM score, deliverability and even the rendering of your email. We feature 30 email testing tools in...

Roland Pokornyik
Roland Pokornyik 31 October 2016
Read more