I recently attended BigDataLDN and one of the panel sessions was on GDPR compliance – specifically the state of play 18 months on from its inception. The panel was chaired by Ross Simson, Head of Data Factory at Thames Water; and included Dai Davis, Partner at Percy Crow Davis and Co; Nicola Askham, Data Governance Coach, James Palmer, Data Protection Officer at Hastings Direct; and Sebastian Weyer, CEO of Statice.
Ross Simson, as host, always likes to encourage audience participation so I made sure I was sitting away from the line of fire. The audience was asked if they would consider themselves to be fully GDPR compliant. Not a single hand was raised. A powerful image for sure, especially considering the concerns organisations must have in terms of consequences of non-compliance. But surprising? Not really.
As concerned as people are about consequences, and as keen as they are to conform to the ICO’s guidance, the road to compliance is often considered daunting and complex, with muddy areas that no one is really sure how to navigate through. Also, the fear of sanctions and lack of understanding over what’s allowed and what’s not, can hinder activity and leave projects abandoned before they have even begun.
However, as the panel members discussed, GDPR needn’t be seen as a liability or something that should be worked on in isolation. Rather, compliance should be built in when creating a data protection culture within an organisation. It needn’t be something that hinders marketing activity or communication with customers. Instead, it can be the foundation with which to build a successful and more effective communication strategy that improves customer satisfaction and facilitates appropriate sales conversations.
On the panel, James Palmer from Hastings Direct, said GDPR had seen a spike in data Subject Access Requests (DSARs) with Hastings Direct seeing a 3000% increase. This may well seem an intimidating stat; especially if customer data is stored across multiple different systems and departments. However, the task becomes an achievable one if an organisation works to create a single view of the customer, which brings together data from across the organisation into one place. Not only would this facilitate the process of performing data subject access requests, but if the single customer view also centralised customers’ contact permissions, any departments wishing to communicate with customers would be working with accurate and up to date consent.
Nicola Askham’s view was that GDPR should not be carried out in isolation and an emerging positive was that good data governance would lead to improved evidence of compliance. GDPR needn’t be feared and compliance concerns shouldn’t hold back an organisation’s aspirations or activity. Rather, it should be viewed as an opportunity to change the internal culture and keep the customer, and the protection of their data, at the heart of it all.
Rinkoo Pugal, Managing Director at Data Risk Solutions Ltd and Data Protection SME, observes that GDPR has compelled organisations to re-think their use of personal data. “Many firms have put in place new governance frameworks to support compliance, but it has been very difficult. The way we think about and use personal data has changed forever.
“With new regulatory requirements on the horizon to cement the principles of the GDPR, organisations will need to balance commercial decision making with regulatory compliance. Therefore, prioritising data protection by implementing organisation wide governance standards will underpin both BAU and digital transformation projects; future-proofing compliance and creating a culture of change.”