Many companies view GDPR compliance as a necessary evil rather than an opportunity to improve business models and customer experiences. This article takes a closer look at some of the benefits your organisation can gain from using privacy as a key differentiator in your market.
Firstly, it’s essential to understand the scope of the General Data Protection Regulation (GDPR). Implemented by the EU in 2018, the GDPR applies to all organisations processing data from people within the EU. Therefore, companies based anywhere in the world can fall within scope of the GDPR.
Being conscious of the consequences of non-compliance is critical. Yes, there are eye-watering levels of fines that can be levied. However, the other side of the coin are the advantages of good data management and governance.
We have outlined three key benefits for your organisation below.
Benefit 1: DPIAs help to build customer trust
Article 35(1) of the GDPR, requires that a data protection impact assessment (DPIA) must be carried out when processing activities present a “high risk to the rights and freedoms of natural persons”. While the GDPR does not define what is meant by high risk in this context, the Article 29 Working Party, an EU advisory body for data protection (which has now been overtaken by the EDPB), offered several mechanisms for determining when data-processing activities meet the “high risk” standard. For example, an organisation should consider conducting a DPIA if it engages in data processing activities that involve automated decision making, matching or combining data sets, and processing the data of vulnerable data subjects.
Implementing a DPIA facilitates a comprehensive and systematic analysis of the methods of processing that an organisation proposes to use in new projects and initiatives. This supports informed decision-making when developing new products and ensures data protection is integrated into the fabric of the project, rather than being an afterthought.
This ‘privacy by design’ approach brings with it many advantages that organisations can leverage to decrease costs and increase consumer trust. For example, DPIAs can reduce operational costs by optimising information flows within a project and eliminating unnecessary data collection. This is best achieved through tracking data flows and knowing how data is to be collected, stored, used, deleted and accessed.
DPIAs can also build consumer trust by demonstrating to prospective and existing customers that their data is being processed in a safe, careful and compliant manner.
Benefit 2: Storage limitation can optimise compliance costs
The storage limitation principle is set out under article 5(1)(E) of the GDPR. This requires that data processed is accurate, up to date and deleted after its use has been completed. Organisations should not keep personal data for longer than needed; and should perform periodic reviews to identify data stored beyond the intended purpose to satisfy this principle.
Databases are all too often filled with stale data, from which an organisation can derive little benefit. As markets evolve, so do the preferences and demands of consumers. The data held by organisations needs to reflect this ever-changing environment by replacing outdated information that no longer serves needs of customers with data that is correct, precise and useful.
Deleting outdated information also eases the burden on IT infrastructure by freeing up space. According to the CrowdFlower 2016 report, data scientists spend on average 60% per cent of their time cleaning, wrangling and organising data. Data storage limits, if implemented correctly, can therefore greatly reduce the time it would take to find business intelligence, thus increasing the analytical and operational efficiency of the company. It also saves money on the cost of storing the data in a secure manner.
Having less data means less risk. The more data held, the more risk in terms of security. The more data held; the more data the organisation will have to sift through if it receives a data subject access request.
Finally, reducing the size of databases can potentially reduce legal costs. The 2019 Cost of Data Breach Study by IBM found that, one average, a data breach affects over 25,000 records, with the cost of each record being around €120. Keeping fewer records can therefore provide companies with an opportunity to keep compliance costs to a minimum.
Benefit 3: A swift breach response can positively impact net profits
Effective breach response times are critical. Under GDPR article 33(1), data security incidents must be reported to the supervisory authorities within 72 hours in certain cases. Organisations that fail to abide by these response times are not only at risk of incurring fines, but also losing the trust of their customers. On the other hand, if a company can deal with a breach effectively enough to minimise the damage, it can often regain customer trust and establish itself as a privacy-conscious business.
In reality, many organisations take far longer than 72 hours to relay notification of a breach. According to IBM, organisations take as many as 197 days on average to identify a breach and a further 69 days to resolve one. Such prolonged response times can have a substantial effect on net profits. Organisations that fix data breaches within 30 days save up to €1 million in comparison with those who take the average amount of time. The stocks of companies with a high security posture also recover faster from financial and reputational shocks – within 7 days, on average. On the other hand, companies with inefficient response times experience a decline in stock value for up to 90 days.
To save on breach costs, facilitate the quick recovery of stock value, regain the trust of consumers and use the breach as an inflection point, organisations should have a robust data breach response plan in place. This should be implemented by a dedicated data breach response team comprised of personnel from different departments, including executives to ensure efficient resource allocation. The plan should designate tasks to be performed in the initial stages of a breach, as well as set out notification times and channels of communication for customers and data protection authorities.
In closing
The importance of data protection for the consumer is at an all-time high. With constantly evolving cyber threats on the increase, and data breaches becoming commonplace in all industries, consumers are not willing to give their data to private and government organisations who cannot guarantee adequate security for their data. The data processing activities of a company can therefore play a valuable role in fostering consumer trust, making privacy a key differentiator in the modern market economy.
Organisations can champion privacy as a brand driver to reduce costs, increase efficiency and augment annual revenues, allowing them to thrive within today’s privacy conscious society. Employing key privacy mechanisms such as DPIAS, data storage limitations and data breach response plans will help organisations unlock their competitive potential.