Eight months into the GDPR, it is now time to reflect on what data protection regulatory changes have entailed for businesses.
techUK’s “Navigating Global Data Governance” saw speakers from start-ups, consultants, small service providers and large multinationals do just that as they shared their experience of operating in an increasingly complex privacy landscape.
The panel began with a debate on the challenges faced on data governance: understanding the relationship with data, dependence on legacy systems, and skills shortage and resourcing. To tackle these challenges, panellists agreed, there’s a need for a roadmap that can be reviewed and optimised over time.
Speakers relished the challenge, though. The new regulation has spurred organisations to understand their own relationship with data; who generates it, who holds it, who accesses it, where it travels and through which channels. Speakers unanimously agreed that this apparent burden has built a better approach to data governance that serves business purposes. Integrating data privacy with a wider data governance and overall business strategy is key for gaining a competitive advantage.
Raising broad internal awareness of data protection is key to gaining this advantage. Compliance teams should aim to change their organisation’s culture, from the grassroots to the C-level. A privacy-by-design model can be applied, assessing all risks before building a compliance operation. This could go beyond being legally compliant and accountable to Data Protection Authorities (DPAs) and add a commitment to respecting individuals’ data rights since, at the end of the day, it remains uncertain how global businesses should deal with upcoming and often diverging regulations from different parts of the world, such as the ePrivacy Regulation, China’s Cybersecurity Law, or the California Privacy Legislation. By identifying core principles, panellists agreed, it’s easier to adapt to all of them and ensure that your products doesn’t violate privacy.
Further discussions touched on the evolving role of Data Protection Officers (DPOs) — from a part-time contractor role to a full-time function. Many companies, especially SMEs, don’t have the resources for such a hire and assign someone internally who doesn’t necessarily have the experience to be a DPO. In these cases, panellists agreed, best practice is to involve those that directly engage with handling data (often marketing teams) and provide them with the right tools to provide feedback.
DPOs and compliance teams should adopt a proactive approach, not only for flexible strategies (such as a business expansion in a new country) but also for predicting what lies ahead. Anticipating regulatory changes allows companies to make timely adjustments. This is ever important in the context of data protection, which will continue evolving rapidly in the months and years to come.
The panel ended back to where it began with a discussion on the future challenges around data protection. Speakers warned that organisations might step down their efforts to comply with the GDPR after the initial hype dissipates or fail to focus on a sustainable programme. As they stressed several times, data protection cannot remain a sole obligation for the DPO but needs to be embedded within every department in an organisation. In times in which regulators have a tight grip on privacy-related issues, panellists argued a well-designed data governance strategy must become a core part of every business.
Author: Julian McNeil, Access Partnership
