Like many people, I’m having a little bit of GDPR fatigue. While the topic is really important, there’s no denying the fact that the topic is a little dull, right?
I’m pleased to say Ardi Kolah proved me wrong, delivering an engaging and inspiring session.
He started with a reminder that the genesis behind the regulation was lowering barriers to entry and creating more choice for consumers. On that basis, GDPR should be seen as an opportunity. Yes, we have to keep security and protection in mind, but we also need to remember that a lot of this relates to commercial competition, as well.
Recounting a presentation he delivered for the City of London, Kolah suggested that we should think less about regulation and more about reputation. We all know what the right thing to do is ethically. So in many respects, GDPR should be seen as a codification of best practice.
So, what’s the impact for HR professionals? Kolah noted that, out of all the areas of GDPR, the areas linked to HR have the most wiggle room for member states to pass their own legislation. Kolah’s prediction on how that will pan out in the UK is that there will be a new Data Protection Act that will receive royal assent by April.
It’s time to reboot our thinking around data protection. It’s no longer a tick-the-box exercise. It’s time to think about data protection, privacy and security being embedded in products, services and everything we do. It’s important to see that through the lens of our customers, clients, supporters and employees.
In simple terms, transparency and accountability are the two factors running all the way through the GDPR. Kolah rightly observed that those two factors are things that a lot of organizations would want to promote as part of their core values. Those two elements are key components for attracting talent. A culture of accountability is important in how we implement this change in relation to data management.
A key takeaway from the session is to forget about GDPR being a regulation. Think instead about business continuity, think about risk and about technology and linking those things together. The real opportunity for all of us is to do more, not less, with personal data — and that’s the intention behind the regulation. GDPR will free organizations to do that in a transparent way. This is about building a culture of confidence around data, and thinking about the rights and freedoms of individuals.
GDPR is a principles-driven regulation, which means it doesn’t actually spell out in absolute detail what we have to do. You need to apply it in context, understand what kind of process you are undertaking. What are you doing that is high risk (or very high risk) in relation to processing? If you’re doing low-risk or medium-risk activity, don’t worry about it. Take steps to mitigate the risk so it doesn’t cause harm to individuals. Record what you’ve done, so that if there is a data-protection breach, you have a narrative that you can present should you be required to do so. Training is a front-line defense, and is absolutely critical. Anyone in your organization touching data has to be trained. One of the first things the ICO will do if a breach occurs is ask to see the training records, and if you haven’t got them, it’s going to be an aggravating factor. If you have training in place and have records, that will be a mitigating factor.
Ultimately, GDPR is really about providing a framework for the world’s largest single digital market, and it’s refreshing to remember this, as most of the focus has been on fines and sanctions. But GDPR is much wider than that — it’s about how we work, how we succeed and how we prosper after Brexit.