Article

Mandeep Sandhu
Mandeep Sandhu 16 February 2018

GDPR: Burden or benefit?

Recently, Carbon Black hosted a GDPR roundtable discussion for more than 20 CISOs, senior compliance and risk directors from enterprise organisations. The conversation ranged from readiness, to the New Data Protection Bill, to insights around various different Articles within GDPR and the tools companies need. Below are five key takeaways from the fascinating discussion.

Recently, we hosted a GDPR roundtable discussion for more than 20 CISOs, senior compliance and risk directors from enterprise organisations. The conversation ranged from readiness, to the New Data Protection Bill, to insights around various different Articles within GDPR and the tools companies need. Below are five key takeaways from the fascinating discussion.

  1. Key GDPR challenges

When asked what their biggest challenge is relating to GDPR, various participants talked about their concerns surrounding telemarketing, as they often don’t ask for permission when contacting clients. Other concerns included understanding data erasure as well as data mapping with legacy systems and hard copy files. They said handling historical records and legacy applications can be challenging. Participants said they were also unsure how to implement GDPR locally and follow this through with overseas parent companies. They also wondered how to ensure partner companies are adhering to the legislation. How to interpret and understand risk was another concern as the challenge of establishing the legal basis for processing personal data.

Many organisations don’t know why they have been amassing personal data for many years, creating ‘data lakes’ that are now a breach under Article 5. Organisations are concerned about erasing personal data because it is more complicated than they realised, they said, and many are uncertain how to ensure it is properly destroyed.

  1. Why do we need GDPR?

GDPR represents a major development in EU data protection law as data subjects' rights are strengthened across the board, with a natural toughening of obligations for personal data. We talked about how GDPR puts a framework around the world’s biggest, single, digital market, which has developed enormously since the original Data Protection Act 1998. As we have embraced digital, consumers have freedom around what products and services they use, but that freedom makes it hard for organisations to do business across one digital market.  Many changes have been enabled by advances in technology, hence it has taken four years for GDPR to be agreed by the European Commission, European Parliament, and Council of Ministers.

GDPR is focused on personal data processing and providing greater accountability, transparency, and control. Under Article 13, a data privacy notice is given directly to the data subject and under Article 14, the data controller must give the data subject a data privacy notice. The data privacy notice is the cornerstone of transparency and accountability in the GDPR and if an organisation is going to process someone’s data, they must pay particular attention to this.

  1. The GDPR transition journey

The group discussed how organisations tackle GDPR. A typical GDPR transition journey starts with an assessment of the existing organisational landscape. The assessment involves identifying compliance and very high-risk areas of processing personal data. Organisations should then define a future state and work toward designing the people, processes and technology components that will mitigate risk. Technology can be used to effectively reduce risk in processing personal data and enable organisations to manage and continuously improve risk mitigation and data protection by design and by default (Article 25, GDPR).

  1. GDPR in a box

Full compliance with Article 25, which is all about data protection by design and default will mean an organisation is almost 100% compliant. One participant talked about Article 25 being “GDPR in a box.”

GDPR is a principles-based regulation; it doesn’t spell out in detail what organisations need to do to reduce high risk to residual risk. If an organisation has a personal data breach, it has to provide a narrative that shows the ICO and regulator(s) it has taken measures to mitigate risk through appropriate technical and organisational measures.  This led the conversation onto the role of the Data Protection Officer (DPO) and how this role can help by making sure the organisation is on the right path. Also, if there is a personal data breach, the supervisory authority may point to the fact that the organisation didn’t have a DPO as an aggravating factor.

  1. Burden or benefit?

So, is GDPR a burden or are there benefits? Will organisations be able to do more with personal data by building a personal sense of trust with their customers?  Or are they putting GDPR in place to make sure they don’t get fined or sanctioned?  The consensus was that, right now, about the greatest concern is not getting fined, with one participant commenting: “GDPR is so vast and so woolly, there is a fear of tripping yourself up, so we are focused on having the basics in place so we don’t get fined. This is first base and we’ll think about the next level after that.”

We concluded the roundtable by asking who felt they were GDPR ready. One participant was confident their organisation was 90% ready. Another claimed to have only started its GDPR journey yesterday. When thinking about what they would implement immediately, participants talked about embedding GDPR into their entire product-management lifecycle, aligning technology to different Articles and removing “data lakes” by seriously looking at the retention of data and its deletion.

Please login or register to add a comment.

Contribute Now!

Loving our articles? Do you have an insightful post that you want to shout about? Well, you've come to the right place! We are always looking for fresh Doughnuts to be a part of our community.

Popular Articles

See all
How to Collaborate With UGC Creators?

How to Collaborate With UGC Creators?

Learn how to boost your brand through UGC creator collaborations: define goals, identify and engage with creators, offer incentives, and measure success for long-term partnerships.

Shivam Rawat
Shivam Rawat 28 February 2024
Read more
Adapting B2B Digital Marketing for the Modern Buyer Journey

Adapting B2B Digital Marketing for the Modern Buyer Journey

Digital marketing also allows for precise tracking and measurement of marketing efforts, enabling data-driven decision-making and optimization. In an increasingly competitive B2B landscape, a well-executed digital...

Ghia Marnewick
Ghia Marnewick 21 February 2024
Read more
How To Be the Best Marketer in 2024: Traits According to Your Star Sign

How To Be the Best Marketer in 2024: Traits According to Your Star Sign

Have you ever wondered how your astrological sign might influence your marketing approach?

Jen Macdonald
Jen Macdonald 16 February 2024
Read more
7 Reasons Why Social Media Marketing is Important For Your Business

7 Reasons Why Social Media Marketing is Important For Your Business

In the past two decades social media has become a crucial tool for marketers, enabling businesses to connect with potential customers. If your business has yet to embrace social media and you want to know why it is...

Sharron Nelson
Sharron Nelson 29 February 2024
Read more
How to Review a Website — A Guide for Beginners

How to Review a Website — A Guide for Beginners

Whether you're a startup or an established business, the company website is an essential element of your digital marketing strategy. The most effective sites are continually nurtured and developed in line with...

Digital Doughnut Contributor
Digital Doughnut Contributor 7 January 2020
Read more