GDPR Compliance - The Unintended Consequences for Organisations

The complexity of data means that today data protection requires collaboration between business, legal, IT, Information Security and DPOs, rather than being the responsibility of the legal department alone. Given the associated reputational risks, data protection has become a board level concern with more organisations taking an increasingly proactive approach.

GDPR has created a ripple effect around the world with many other regions adopting similar privacy legislation. The California Consumer Privacy Act, for example, is due to come into force in 2020 and there is a drive to ensure consistency across the US as GDPR has done for the EU. In the APAC region existing data protection legislation is evolving to make sharing data across borders easier.

As organisations look to protect their reputations and reduce the likelihood of regulatory action, internal policies and procedures will play a critical role. Regulators are not only assessing data breach impacts but are undertaking thorough reviews of organisations’ data management and risk assessment procedures. Some 70% of breaches reported to the ICO in the last quarter were not caused by malicious third parties but by inadequate policies and procedures.

Education is essential. During its investigations of an incident, the ICO will increasingly ask about the organisation’s training programme. Meanwhile, as more companies look to operate like start-ups and to increase agility, business leaders must help teams to be creative while complying with regulations.

One largely unreported consequence of GDPR is data minimisation – organisations are reviewing their policies to ensure that they only retain data that is necessary for their operations. As well as minimising risk, this helps them to focus on their key objectives and to reduce costs.

Organisations need to understand their data flows better and to improve communication with customers, especially since GenZ and Millennials in particular care about how companies use their data.

GDPR may have been the starting point, but as technology develops and customers get data-smart, all organisations need to consider how they balance protecting the rights of individuals with their marketing and brand strategies.

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.