Leading up to the EU General Data Protection Regulation’s May 25 effective date, fearmongering and panic rippled through the commercial world. Some companies, such as the Los Angeles Times, Chicago Tribune, and New York Daily News, preemptively shut down access for their entire EU readership, totaling half a billion subscribers. Although businesses continue grappling with uncertainty on exactly how to comply with GDPR, closing off the entire EU market was an overreaction. The sky is not falling. It’s just a different shade of blue.
Data Protection is Asset Protection
Businesses that handle personal data are supposed to protect it. This was true before May 25 and it’s still true today, so companies that already have a strong data protection strategy in place are in a good position to comply with the regulation.
But the fact that prominent organizations like the LA Times believed they were unable to meet GDPR compliance requirements should set off alarm bells for everyone who uses the internet, not just EU residents. If banks were unable to specify how they managed and protected investor funds, would it be acceptable? No – banks are expected to know where every penny is, at all times.
Since the data that businesses possess is, in many cases, their most valuable asset, they should be held to the same level of accountability that banks are held regarding deposits and investments. Brian Reed, information security industry expert, former Gartner Research Director, and current Virtru advisor, agrees, saying that GDPR “is going to force a lot of organizations’ hands into doing the right thing. They’re going to have to better understand those data flows ultimately in order to better understand how to apply GDPR protections.”
Treating GDPR Compliance as a Checklist Wastes an Opportunity
If GDPR is the big stick driving data protection improvements, the carrot is the ability to make data actionable. Yet many businesses struggle to understand what data they possess, where it is, and how it is shared with partners. Businesses that can’t manage the data assets they possess today will find themselves falling behind as their competitors successfully complete digital transformations.
Businesses recognize the value associated with the improved efficiencies and customer experiences that accompany digital transformation. A recent Gartner survey showed CIOs rank digital transformation among their top three priorities this year. Most enterprises are somewhere on the digitization path, while SMBs are moving to digitize their processes as well.
Data is the fuel that powers these digital improvements. Business leaders should be thinking, “Since we have to better understand our data for GDPR compliance anyway, how can we backchannel other strategic goals into the GDPR process? Can we use our new understanding to create innovative lines of revenue or more efficient operations?” When pattern and context are exposed, data can provide answers.
Secure the Data, Not the Network
When data is essential to operations, companies must change the way they approach data security. The traditional focus has been on protecting network perimeters. That focus needs to shift to protecting the valuable assets inside the perimeters: the data.
GDPR protections, such as the right to object, right to notification, and right to be forgotten, are all predicated on the assumption that companies have a fundamental understanding of their data. But businesses collect more data than ever, a trend that will only continue to rise as IoT, AI bots and mobile business apps proliferate. Businesses need to be aware of the insights that can be extracted from their contextualized data, and they need to write thoughtful data policies to protect both their consumers and themselves.
Keep Sight of the Opportunities, Not Just the Penalties
If we weren’t in the midst of a wave of digital transformation, it would be more acceptable for businesses to treat GDPR compliance as just another checklist, doing the minimum required to get by. But we are at a point in our technological evolution where issues around data, privacy, and security are impacting the futures of individuals, commercial entities, and governments.
GDPR regulations will force everyone to understand their data and its movement better. As Brian Reed predicts, “We’re going to see a lot of these GDPR regulations force organizations to follow better privacy hygiene, to really better understand those data flows, and how data is moving, not just inside of the environment, but how it’s moving from the environment to cloud, how it’s moving to customers to business prospects, to business partners.” Organizations which adapt accordingly will have a strong competitive edge in the immediate future. GDPR should fit into strategic initiatives to elicit value from data that is collected, shared, and protected. It should not be treated as just another cost center.
So don’t think of GDPR as a penalty for failing to protect data. Think of it like a good workout: it may be uncomfortable in the moment, but the pain is worth the gains.