Head of Privacy & Data Protection
Although it was the culmination of several years’ work, the introduction of the General Data Protection Regulation (GDPR) in May this year should be seen as the beginning rather than the end of a journey to put privacy and data protection at the top of the business agenda.
As well as GDPR, the new ePrivacy regulation, which will govern digital marketing and also impact on developments such as the Internet of Things, is currently being discussed in the European Parliament and is due to come into force in the next year or so. All over the world new privacy laws are being introduced with California and Vermont currently leading the way in the US. Asia is also focusing heavily on privacy issues, with the Philippines being the latest to enact a new law. India is currently discussing a new law which is likely to impact global businesses that host their data there.
As data becomes increasingly important, the focus on how it is collected and used is only going to intensify. However, although GDPR and other data-focused legislation will inevitably mean additional compliance work for companies, it should be seen as a way to improve how they harness data and engage with customers.
With the right approach, companies innovating through technology can thrive and gain real competitive advantage.
Against that backdrop CEOs and business leaders have a key role to play by embracing this new era and ensuring privacy is at the heart of what their organisations do.
Looking beyond compliance
To achieve this, leaders will have to look beyond compliance and strive towards acting ethically. Although ethics has perhaps become a rather over-used buzzword, there is no doubt that after the Facebook scandal individuals want to be reassured about the way companies handle their data.
Some of the biggest names in technology are responding to this with IBM developing strategies to alleviate bias in their algorithms and Google publishing a set of norms governing their operations. A plethora of organisations have also been set up to discuss ethics, especially in data science analytics, and any forward-looking company needs to recognise and embrace this shift.
Importance of management structure
CEOs and business leaders need to ensure their senior management teams have proper focus on the issue by having a Chief Privacy Officer in place (even if they do not need to have a Data Protection Officer) and, ideally, a Chief Ethics officer.
It is also important to decide where the Data Protection function sits given it could be argued that it is neither solely a legal or an IT function. Given the need to liaise with both legal and IT teams as well as the rest of the company, it is recommended that the Chief Privacy Officer and Chief Ethics Officer reports directly to the Board or the CEO.
Addressing global implications
As the privacy landscape continues to evolve and businesses increasingly operate in many different markets, it is important for organisations to establish global privacy programmes, ensuring all jurisdictions where they operate are covered.
It is important to be aware that the definition of personal data and reporting requirements will differ across countries. In the US for example, there are 50 federal reporting procedures, with slight variations between them.
Businesses in the UK will also have to understand how Brexit will impact their data flow, and review all their contracts to ensure business continuity after its departure from the EU next year. The UK Government has recently issued guidance encouraging companies to review their processes and seek advice on their data sharing agreements to avoid an impasses in the event of a ‘no deal’ Brexit.
Issues raised by innovating though technology
Although some have argued the GDPR is over-restrictive or unsuitable for the era of big data analytics we live in, the key principle of the legislation is to be create trust which will in turn foster innovation.
As businesses continue to innovate through technology, it is important that they understand the impact of the GDPR and wider privacy law.
Take Blockchain as an example. A growing number of companies are starting to use blockchain in different areas of their business, and this is raising some privacy concerns mainly due to apparent incompatibility between blockchain and the GDPR. The requirement for a right of erasure, which is enshrined in the legislation, cannot be met in the blockchain technology as its inherent characteristic is to be immutable. Solutions can be found though, for example by encrypting personal data so that the key can be deleted should the data subject want their data to be deleted.
Companies are also increasingly investing in data science, analysing data using algorithms to discover meaningful patterns in data for marketing, logistics, planning and many other purposes. As they look to analyse more data, the more automated the processes become and the opportunities for real innovation grow.
With that, however, the risks to breach privacy rights increase. Algorithms can be biased, and where automated decisions are involved, companies will have to ensure they can provide meaningful information about the process followed a subject of intense debate currently and ensure individuals are informed and can challenge the decision.
At a time when technology offers us ever-greater opportunities, it is important that business leaders embrace the privacy and ethics needed to successfully drive them forward.
Moving beyond compliance and leveraging technology to offer customers solutions that protect their rights is essential for any company that wants to thrive in the environment we are now in.
Gemserv are an expert provider of professional services enabling the data revolution. Our work includes high profile subject matter expertise supporting data protection, ethics and privacy on projects for organisations with high technological capability across multiple countries and jurisdictions.