Cindy Truyens, Managing Director at SQS
With the EU General Data Protection Regulation (GDPR) on the horizon, and the in’s and out’s of the laws decided, are you aware of the impact this will have on your current data management policies, processes and systems? For many businesses the realistic answer to this question is “I don’t know” and for most it will be “no”. No matter what industry you are in, if you handle other people’s data you are responsible for keeping it safe and bound by law to comply with data protection regulations.
This applies to data whilst it flows between departments, moves across different systems, is passed between individuals, transitions onto new platforms or programs, is handed to a third party – the list is endless. Claiming ignorance – especially once data has left the confines of the office “walls” – is no excuse. Those who underestimate the challenge of getting their data management systems and policies ready by the 2017 deadline could find themselves in severe financial and reputational hot water. As it stands, the maximum fine from the Information Commissioner’s Office for breaching the legislation is £500,000 whilst the EU GDPR state that fines can be 4% of global revenue. Companies who suffer data breaches will also be liable to provide compensation to those affected and face the significant loss of business as information of the fines will be made public.
The desire for business intelligence:
For most organisations, a single unified data model is the ultimate dream, from which to unlock value and better serve and retain customers. Being able to analyse data and turn insight into action has delivered untold benefits to companies. At the same time, the regulations which deem how the data can be used have been tightened up to better protect consumers, providing a management headache for companies. This is turning the dream into a very real nightmare as companies look to implement changes in what is often a very complex IT environment.
The extent of the challenge ahead
These new reforms represent the EU’s first major overhaul of data protection legislation for almost 20 years, during which time significant advances have been made in the way companies use data and the technology they have in place to store, transfer and interrogate it. As a result, the updated reforms will include key changes to the way in which personal data can now be used and stored. This will have a significant impact upon organisational policies and processes, with the need to move towards a ‘Privacy by Design’ ideal.
Often, personal customer data collected by organisations is used and transferred in ways in which the customer and owner of the data may not even realise. To tighten up the movement of sensitive data, “anonymisation” will form a key part of the new regulations.
The consequences of non-compliance
When considering the implementation of these regulations, it is vital that companies make changes to data governance and policies now, implementing ‘Privacy by Design’, in order to meet the two year timeline that has now come into effect at the end of this year. To put this non-compliance into perspective, a recent study found the cost to an organisation responsible for a data breach has increased each year since 2007. Today each compromised record costs an average of £104. When considering the bigger picture, this equates to a significant average cost of £2.37 million per year.
We are also seeing people affected by data misuse claiming compensation from companies, with a current case looking at a minimum settlement of £250 per person. In the USA, health data breach statistics alone paint a very grim picture, with the top five breaches in 2015 so far impacting 99.3 million individuals.
To avoid such consequences, action needs to be taken now. This will ensure businesses are doing the right thing by their data, whilst avoiding the unwelcome wrath of the ICO or the FCA. These two organisations are currently policing the regulation and ensuring businesses keep their data beast under full control.
To help overcome the challenges of overhauling data management systems, there are three key areas which organisations need to address ahead of the new regulations:
- Consider a robust data policy from the very beginning
For businesses. Actively applying cost-effective data governance policies and procedures from the inception of a project helps reduce time and the cost spent on dealing with inaccurate/poor quality data in the longer term.
- Digitise and anonymise for streamlined data management
With the digitisation of systems, a single view of the customer and a unified data model have become increasingly difficult to achieve and are the biggest issues facing organisations today. The new data protection regulations will add another layer of complexity to how data is accessed and used.
Ultimately, the lack of a single view of data and how it is configured will result in organisations having limited visibility on where its data is being accessed, copied, backed up or transferred. This will now have to change and industry experts are on hand to walk organisations through the arduous but vital process of legalising data. A key focus area of the regulation is the use of data within test environments ensuring that all data contained therein is anonymised. A mammoth task given the levels of system integration and end-to-end processing required to ensure system accuracy and stability. Choosing the right tools to manage and anonymise or synthesis data for your business is paramount.
- Invest upfront to avoid fines and derive true business benefit
Without the correct IT, policies, processes and governance in place to ensure data quality and compliance, not only could organisations be exposed to hefty fines but they could also be missing out on key business benefits.
The cottage industry of people extracting, reformatting and standardising data behind the scenes is staggering and often a hidden cost of poor data management practices. A recent assessment highlighted that a large retail organisation could save in excess of £600,000 per month simply by standardising its data model across its integrated supplier, product management, distribution and reporting systems. With an upfront investment of £630,000, savings of up to £7.2 million per year could be a reality.
Building a strong framework for data from the beginning is the ideal. The reality is that the majority of organisations are fettered by a complex, somewhat historical IT estate. They are faced with having to alter policy, processes and systems to achieve compliance. Making upfront investment now is key. Bringing experts on board to make sure data is correctly mapped, stored and used will ensure an adequate opportunity to adhere to the regulations. This will prevent unnecessary fines and ultimately boost data performance for the benefit of the business.
 2015 Cost of Data Breach Study: United Kingdom, Ponemon Institute, May 2015