Understandably, GDPR is a hot topic right now and there’s plenty of noise out there to digest. From preparation to becoming compliant, making sense of exactly what GDPR is to those offering training services. All of which are very helpful in understanding how this may affect your organisation. However it needn’t be all doom and gloom. In a recent meeting with our friends at Foot Anstey an interesting angle was taken, ‘How to commercialise the GDPR’, now that’s talking our language.
With this in mind we asked Martin Cuell, partner in Foot Anstey‘s Commercial team, about his take on how organisations can make the most of the GDPR and put the implications into business change and benefit.
ADLIB: GDPR – It’s a huge topic which can be a tricky one to get your head around. What do you recommend as useful sources of information to get the underlying facts?
I agree – data protection can be a tricky topic to navigate! Part of the difficulty is that depending on which ‘hat’ we have on at the time, we approach data laws from differing perspectives. As individuals we’re all keen to ensure that our data is kept secure and we want to know how it is being used. In business we often see data laws as a bit unwieldy and problematic when seeing opportunities to commercialise and monetise data.
Of course the key, as ever, is striking the right balance. Data protection laws have been widely acknowledged as being in need of updating, driven by changes in technology and the consumer/user experience. The GDPR, which will take effect on 25 May 2018, represents the biggest change in 20 years and introduces a number of new concepts and significantly raises the bar for every business which processes personal data. However it also creates a great opportunity/incentive for business to really look at their data strategy and yes – ensure that it is compliant – but also look at ways to continue or start to make better use of and derive new products and services for its customers/clients in a compliant but effective way.
The Information Commissioner’s Office website is a good starting point for the latest updates on the GDPR as well as specific information for public and organisations on data compliance. However getting a real practical view as to what the legislation and guidance means for your business and how to continue making the best use of your data assets can only really be gained by discussing your data strategy with a good advisor who is up to speed with the GDPR and subsequent guidance. We’ve produced a short overview of what the GDPR means from a practical perspective which provides an entry point for some internal thinking on your GDPR/data strategy which we’d be happy to share if of interest but I’d recommend that if your business processes significant amounts of data, or if personal data is key to your consumer/client strategy, then it’s worth discussing that strategy now to put your business in a good place come May next year.
ADLIB: Is there an approach or process you can recommend for businesses or departments to plan for and implement changes to be ready for what the GDPR will mean for them?
It’s always difficult to suggest a one size fits all approach for all types of business. One business will approach its data strategy in a completely different way and will be doing different things with its data to another. Even within a business, data may be being used in different ways and for different purposes by different business units.
However if you take a step back from the complexities sitting around data protection and GDPR there are some logical steps that can be taken by your organisation/teams in readiness for next May. These would include:
Responsibility: Consider who in your organisation/teams is responsible for data strategy and compliance. Is this clearly understood in your organisation and reflected in those individuals’ day to day work/title/assessment?
Strategy: Consider who do you hold data on – employees/customers/targets. How is this data being used/is it being used (do you need to retain the data?). What are you telling those individuals about the use of the data/is this transparent.
Audit: It’s worth establishing what data you (or your contractors) hold and how it is being used. Aside from the compliance angle – could the data be used in better/more efficient ways (to drive down costs or increase revenue)?
Risk: After the audit – have you noticed any key risk areas? How could these be plugged (i.e. changes in behaviour/data collection notices/communications with clients/customers).
Raise awareness: Raise awareness among key stakeholders about the importance of the data and compliance – this isn’t just something for IT or data officers. Boards should be aware of the risks and opportunities – businesses have a responsibility towards individuals’ data but there are also great opportunities to use and monetise data in a way that drives value back to the customer.
Opportunity: find opportunities to build engagement and make data protection more than simply a compliance exercise – can more value be extracted from current data sets? Is this an opportunity to look at new products and services that could be offered to customers/clients for whom you hold/process data or add value to existing data sets?
ADLIB: We mentioned earlier that you looked at the GDPR from the “How to commercialise GDPR” angle. Tell us more!
A lot of organisations (and advisors for that matter!) are looking at the incoming GDPR as a compliance exercise first and foremost. However this is a great opportunity to put the limelight on data strategy within your organisation. If you can drive engagement across different functions and in the key areas within your organisation where data is processed and valued as a core business asset you can make this much more than just an exercise in compliance.
Today’s technologies and marketing practices mean that there are lots of opportunities to extract value from your data – by having a current audit of your data you’ll be in a much better position to flush out these opportunities, identify any gaps and put in processes that ensure you are doing things right for the future.
By focusing on the data strategy for your business over the next few years we can help advise you on ways to implement those strategies to maximise the revenue return whilst being aware of the regulatory requirements and risks.
Finally it’s worth remembering that there are also reputational gains to be made through being transparent with your customers about how their data is being used and how they value your services and goods by processing their data in different ways which in itself may drive greater customer stickiness and be good for your business.
Interested in hearing more?
Alexandra Leonidou, Senior Associate and data protection specialist, and Tony Jaffa, Partner and leader of the reputation management team at Foot Anstey, will team up to provide insight into the new game-changing data protection regulations at Bristol CIM event ‘Are you ready for GDPR with one year to go?’ on 4th May 2017.