UK businesses and public bodies are spending significant time and effort sharpening up their documentation of data processes and policies in time for the General Data Privacy Regulation (GDPR) taking effect on 25th May . For example, as data privacy laws are being tightened, companies must update their privacy policies for key customer touch-points like websites. But most of this is happening under the radar of the public, which is oblivious to the imminent introduction of a regulation that fully impacts their personal data.
The public appetite for change on privacy is certainly there: in the UK, Direct Marketing Association (DMA) research found that 86% of consumers want more control over the way that companies use their personal data.
But despite the ICO recently launching its GDPR awareness campaign for micro-businesses and running a UK public awareness campaign from this month, many employees and consumers still don’t fully understand how the GDPR will affect them and what steps they need to take to ensure that the changes boost their privacy.
There are three essential points that need to be communicated:
- We have yet to see a genuine explanation for the public as to why this change is happening – in particular, the EU and consumers’ growing concern at the lack of controls on personal data. Knowing this alone would certainly help when the next email lands in a consumer’s inbox asking them to update their preferences.
- The lack of insight being provided for consumers and employees on how their data is handled in today’s increasingly mobile app- and cloud-based economy. Personal data have been separated from business controls through the explosion in distributed IT networks and social media. Under the GDPR, organisations will need to audit and understand their data processing in ways that the average person has yet to understand – even if UK boardrooms are buzzing with talk about fines of €20 million or 4% of global annual turnover, for non-compliance.
- Securing our data (and GDPR compliance) is all about effective process: the new regulation doesn’t tell an organisation what to do but every management team will have to define what is right for their commercial operations and how their employees enact it, day by day. The GDPR is in effect, a framework with effective data security processes being the common, guiding factor. Anything from people’s medical records, to their opinions on social media, will be covered by the new regulation.
I believe it’s overdue that the GDPR’s benefits for consumers and employees – as well as the implications for business – are spelled out in layman’s terms, rather than being communicated solely as a complex, business compliance issue.
By Marc Sollars, CTO, Teneo
European Data Protection Summit will take place on June 3rd in Central London and will play host to 800 DPO’s, Security Professionals and senior business decision makers looking for; information, updates, clarity, advice and solutions. For more information, visit the website.