What Have CEOs Done for Data Privacy Since GDPR?

While in Europe GDPR was introduced to protect consumers’ privacy and safeguard their data, it also seems to have increased awareness of its misuse.

Below Ken Mortensen, Data Protection Officer at InterSystems, delves into the complexities of GDPR application and public perception, touching on what exactly businesses have been doing over the past 18 months to ensure data remains compliant with new regulation.

Research has shown that 60% of Europeans worry about how their personal information is being used by companies. Consequently, a large proportion of consumers now understand the value of their data and concerns about how it’s being used has led to a growing reluctance to give that information up, combined with the desire for greater control over it. 53% of respondents from a Global Web Index survey said they would be motivated to share their data if they trusted the company, while 46% revealed they would share their data if they had the ability to access and delete it. Therefore, it’s not enough for businesses to merely adhere to the processes put in place to ensure compliance with GDPR.

Instead, organisations must recognise and acknowledge consumer concern and continue to enhance their processes and policies to sustain a data privacy programme and ensure the proper protections and safeguards. If businesses fail to do this, it could lead to them not only facing fines from regulatory agencies, but they also stand to lose the trust of their customers. As companies get to grips with the privacy and security issues relating to personal information, they are moving beyond compliance and looking at the ideas of ethics and trust. Here are three key ways in which businesses are providing for continuous improvement around the issue of privacy:

Creating specialist roles

While the subject of privacy is a board-level and senior management risk issue, barely half of organisations have adequate controls in place. To change that, it is vital that the message of data privacy, the support for controls throughout an enterprise, and the organisation’s stance on the ethical use of data comes from the top. One of the most effective ways businesses are doing this is by developing new roles with the sole purpose of protecting privacy. A number of organisations have already adopted this model, with businesses like InterSystems appointing either a Data Protection Officer, a Trust and Ethics Officer, or a Chief Ethics Officer to ensure both compliance and trust are maintained through the ethical use of personal information. The creation of these roles sends a strong message that trust, and by extension, privacy, security, and ethics, are at the forefront of the culture of an organisation. But even more so, this approach moves the discussion on from businesses purely being interested in being compliant, to focusing more on operating ethically and doing the right thing.

It is vital that the message of data privacy, the support for controls throughout an enterprise, and the organisation’s stance on the ethical use of data comes from the top.

Governance frameworks

A governance framework can be used to look at the issues of privacy and security and how the related business processes can be consistently and reliably implemented across an organisation. Within such a framework, both privacy and security matters are examined. The former puts a focus on the collection, use, and disclosure of personal information, whilst the latter concentrates on the confidentiality, integrity, and availability of that information. As organisations implement a governance framework, they may seek external auditors to demonstrate that they are trustworthy.

A culture of accountability

A growing number of businesses are trying to put data privacy on the radar of their entire employee base. In these organisations, it is becoming everyone’s mission to have an understanding of provenance and the use of information, with everyone taking accountability for how the company collects, uses and shares personal information. This is also being extended to the way in which organisations talk to their customers about data privacy with more businesses being open with regards to what they are doing with personal information and how they are protecting it. With big data breaches, such as recent ones that exposed the data of almost 400 million users, this approach could help businesses overcome the distrust these occurrences tend to inspire.

A year on from GDPR, it isn’t enough for businesses to focus their data privacy efforts purely on compliance. As the narrative moves towards trust and ethics, we will see a growing number of businesses adopt an approach to data privacy that is founded on these principals in which they will appoint a specialist, such as a Data Protection Officer, and promote a culture of accountability. Ultimately, this will ensure they are not only GDPR compliant, but also maintain the trust and loyalty of their customers.