The GDPR: A business imperative

The GDPR: A business imperative
Nov 22, 2019 BLOG

In this article, we look at what it means to be GDPR compliant and the benefits of doing so. Referring to the latest study carried out by the European project STAR II, Trilateral Research’s Data Protection Consultant Kai Matturi investigates the impact surrounding SMEs not being GDPR compliant and the effects it can have on their business.

There has been a lot of attention focused on the penalties for not complying with the General Data Protection Regulation (GDPR), yet it is the impact to business reputation and continuity that is likely to be much more significant in the long run. Becoming GDPR-compliant goes beyond avoiding fines. It means setting up processes and safeguards that enhance customers’ trust and avoid business disruption.

Falling foul of the GDPR will result in litigation and fines but hidden beyond these will be an incredible amount of disruption. If a business is hit with a lawsuit because it was not gathering personal data properly or failed to inform customers of a data breach, it will need to follow a lengthy process. This will involve gathering all the relevant business information to provide context, which will be used to investigate a potential breach.

If a business does not have a sufficient overview of its data, the above process will disrupt the ICT team, the legal team and the wider business, leading to opportunity costs, amongst many other issues. To avoid this nightmare scenario, companies should develop a proactive approach with respect to the GDPR.

The companies that took part in the STAR II project often used the word “catalyst” when describing the GDPR and its impact on their business. It is forcing many companies to do what they should have been doing all long – take ownership of the personal data that they collect and process.

Benefits in complying with the GDPR

There is growing evidence that companies who seek to be compliant with the GDPR are seeing benefits beyond GDPR compliance. The Data Privacy Benchmark Study published by Cisco shows that companies that have invested in customer privacy requirements, have reported shorter sales delays and fewer or less serious data breaches.

Furthermore, GDPR-ready companies that have suffered a data breach reported that the average number of impacted records was 79,000, compared to 212,000 reported by non-compliant companies.

The Cisco study also found that the system downtime associated with a breach was shorter in the case of GDPR-ready firms, and the costs of dealing with the incident were also considerably smaller.

While businesses in highly regulated sectors tend to lead the way when it comes to data governance and by extension data protection, the GDPR has levelled the playing field. Companies of every size will require a comprehensive view of all their data, making it easier to employ data analytics successfully. While companies will need someone to interpret the data patterns and pinpoint the resulting insights, it will be easy for them to catch up with those companies already employing these tactics.

Many suppose that companies will find the GDPR too restrictive or argue that it expects too much of companies. Yet the vast majority of companies that were involved in STAR felt that it is not prescriptive enough. Companies may know what they are supposed to do, but the regulation does not clarify how to do it. The companies surveyed by the STAR II partners indicated a strong preference for templates and other practical guidance on how to implement the GDPR.

The need for a roadmap to GDPR compliance

The biggest hurdle is taking the first step, by identifying the greatest risks to the company. No single technology solution is able to do this. It requires multiple solutions combined with both people and process to build a suitable technology roadmap. This should identify the worst risks and exposures so they can be addressed both under the GDPR and other industry regulation.

The fact is that most companies were almost certainly not 100 % ready for the GDPR when it came into effect on May 25th, 2018. Ensuring that a detailed roadmap is in place will help companies know what to prioritise, as well as demonstrating advancement if required to show that the compliance process is underway by a regulator.

The GDPR has brought many different sizes and types of companies into the regulated world. The future could be confusing for them – particularly if they focus on the risks rather than the rewards. Making changes as soon as possible to be among the early adopters in the market will do more than act as a differentiator from the competition. It will drive customer trust and open up valuable insights to accelerate business.

This post was originally posted on:

Our blog

SupporT small And medium enterprises on the data protection Reform II — STAR II 2019-2020

Helping SMEs better cope with the GDPR

Helping SMEs better cope with the GDPR

Oct 19, 2020 BLOG
As part of the STAR II project, TRI has been working on better understanding how small and medium enterprises...
Welcoming feedback on Guidance for DPAs on good practices to run hotlines for SMEs and the Handbook on European data protection law for SMEs

Welcoming feedback on Guidance for DPAs on good practices to run hotlines for SMEs and the Handbook on European data protection law for SMEs

Aug 23, 2020 BLOG
The main purpose of this workshop is to receive feedback on the two documents. Our event will be highly interactive, and we will provide participants and speakers with the opportunity to exchange and to voice their thoughts on the Guidance and the Handbook.
What are the challenges that SMEs are facing in complying with the GDPR? A view from the field

What are the challenges that SMEs are facing in complying with the GDPR? A view from the field

Jan 07, 2020 BLOG
Since the GDPR came into force in May 2018, organisations of all sizes have been grappling with...