Almost two years on from GDPR: What have businesses done for data privacy?

By Ken Mortensen, Data Protection Officer, InterSystems.

  • 4 years ago Posted in

While GDPR was brought in 18 months ago to protect consumers’ privacy and safeguard their data, concerns about the security of their personal information remain. As the general public realises the importance and value of their personal data, many are growing reluctant to share it with businesses. Consequently, privacy continues to be the most important aspect of data management for the majority of businesses. However, it’s not enough to just have processes in place to drive compliance with GDPR. This consumer trend requires organisations to enhance their processes and policies to sustain a data privacy programme and ensure the proper protections and safeguards. If businesses fail to do this, they not only face fines from regulatory agencies, but even the slightest failure to protect personal information could cost them the trust of their customers. As companies get to grips with this, we are seeing the concept of information ethics develop, but what does this mean for data privacy and what have businesses been doing since GDPR to provide for continuous improvement around the issue?


Introducing the Data Protection Officer

There is a growing complexity concerning who should have access to personal information, what it can be used for, and whether data should be used for anything other than its initial purpose, even if that is for the benefit of the consumer. Therefore, businesses must take a clear view on these issues to maintain customer trust. Yet, while the subject of privacy is a board-level and senior management risk issue, barely half of organisations have adequate controls in place. To change that, it is vital that the message of data privacy, the support for controls throughout an enterprise, and the stance on the ethical use of data, comes from the top.

 

As organisations begin to look beyond compliance to drive competitiveness through the governance of personal information, the issues of trust and ethics pertaining to that information become more crucial to the success of the business. Personal information is starting to be treated as a critical asset and organisations are appointing senior people to lead the governance and ethics strategies, developing new roles with the sole purpose of protecting privacy. A number of businesses have already adopted this model, with companies like InterSystems appointing either a Data Protection Officer, a Trust and Ethics Officer, or a Chief Ethics Officer to ensure both compliance and trust are maintained through the ethical use of personal information. The creation of these roles sends a strong message that trust, and by extension, privacy, security, and ethics, are at the forefront of the culture of an organisation. But more than that, this approach moves the discussion on from businesses purely being compliant, to focusing more on operating ethically and doing the right thing.

 

Accountability at every level

In the year and a half since GDPR, a growing number of businesses have been trying to put data privacy on the radar of their entire employee base. In these organisations, it is becoming everyone’s mission to have an understanding of provenance and the use of information, with everyone taking accountability for how the organisation collects, uses, and shares personal information. This culture of accountability is also being extended to how organisations talk to their customers about data privacy with more adopting an open and inclusive approach to informing customers about what they are doing with personal information and how they are protecting it.

 

Between 85% and 88% of consumers state that transparency over data collection, usage and the benefits on offer is important when sharing personal information with businesses. As such, some businesses have recognised the need to close the gap in terms of the expectations, responsibilities, and actions relevant to privacy protections and information ethics. With big data breaches, such as recent ones that exposed the data of almost 400 million people, it is no wonder fewer people are now willing to part with their personal information. That said, it may be possible to overcome the distrust these occurrences tend to inspire, by taking an open and honest approach to talking to customers about how their personal information is used, stored, and shared. The issue of trust is something that organisations have been coming back to time and again since the introduction of GDPR and is echoed by leaders like Shell CEO, Ben van Beurden who believes that transparent and ethical behaviour are integral to gaining public trust.

 

The creation of governance frameworks

A governance framework ensures appropriate behaviour in the creation, storage, use, and deletion of information through the integration of processes at all levels of the company. A governance framework can be used to look at the issues of privacy and security and how the related business processes can be consistently and reliably implemented across an organisation. Within such a framework, both privacy and security matters are examined, whilst the latter concentrates on the collection, use, and disclosure of personal information and for security setting a concentration on the confidentiality, integrity, and availability of that information. As organisations implement a governance framework, they may seek outside auditors to demonstrate that they are trustworthy.

 

As the narrative moves beyond mere compliance and towards trust and ethics, businesses must continue to improve their efforts in this area. While the initial groundwork has been laid, maintaining data privacy is an ongoing battle and organisations need to implement changes that go beyond new processes and ways of working. Therefore, companies must begin to develop a culture of accountability that supports their efforts to maintain a data privacy programme, led by someone in a role dedicated to data and trust. In the near future, as this approach to data privacy is more widely adopted, we will see trust and ethics driving decisions on the processing of personal information.

By Barry O'Donnelll, Chief Operating Officer at TSG.
The cloud is the backbone of digital cybersecurity. By Walter Heck, CTO HeleCloud
By Milou Lammers, Director of Compliance, iland.
By Brett Beranek, Vice-President & General Manager, Security & Biometrics Line of Business at...
By Michael Queenan, co-founder and CEO of Nephos Technologies.
By Tawnya Lancaster, Lead Product Marketing Manager, AT&T Cybersecurity.
Why businesses need a bigger boat for tackling IaC security By Robert Haynes, SCA & Open Source...
Cybersecurity continues to be a major challenge for companies, with as many as four in ten...