Look for the silver lining in GDPR’s privacy obligations

Analytics, security and data-governance vendors are lining up to help businesses that have been caught out by the activation of the European Union’s general data privacy regulation (GDPR) and the looming introduction of similar Australian policies that threaten to overrun companies with consumer data requests.

The industry-by-industry introduction of the new Consumer Data Right – which was introduced in conjunction with the appointment of a new National Data Commissioner in response to the recommendations of a Productivity Commission inquiry and will begin with the introduction of a formal open banking industry program – will put companies in a range of industries on the front line of data-privacy protections.

Yet studies have repeatedly shown that many companies in Australia – and elsewhere – remain unable to accurately inventory or manage their customer data at the level of granularity and control required by the new regulations. One recent survey found that just 9 percent of businesses have implemented data tagging tools to help keep track of their often-massive data holdings.

Given that customers’ expectations of privacy and data control are only increasing – and many are putting companies on notice to do the right thing or risk losing business – Qlik APAC vice president Julian Quinn told CSO Australia that analytics vendors needed to step up their involvement with customers’ ongoing data compliance efforts.

“Customers are taking the matter seriously, and businesses have to include data protection from the onset of designing their systems and technologies,” he said. “Organisations really have the opportunity to move to the next level of digital trust by enabling better relationships with their data.”

“Analytics companies have a key role to play in helping manage disparate data sources,” he continued. “We’re the glue that combines all of the data protection and privacy systems together – providing clear visibility and actionable insights.”

For companies whose business is based on data, the imperative is even stronger – but a recent Forrester Research analysis found that just 15 percent of B2B marketing companies, for one, are GDPR compliant.

Data audits are only the beginning of GDPR compliance for marketers, Forrester warned, and just 11 percent of surveyed companies had vetted their third-party suppliers for GDPR readiness.

Given the potentially massive fines for GDPR breaches, “investing in compliance now is the only right move for a sustainable business model,” Forcepoint regional vice president for APAC George Chang said in a statement. “Pragmatic compliance does not need to be an expensive exercise too.”

“While many may be worried about the implications of a new regulatory era, in reality it will create trust and provide good practices that will benefit both the individuals and the business. With strong data protection strategies in place, customers will place greater confidence in businesses, and businesses will minimise the all too common reputational and financial fall-out of a breach.”

Mimecast principal technical consultant Garrett O'Hara was pragmatic about the possibility of fines, advising companies to focus more on building up robust processes for handling data requests and incident responses in the event of a data breach.

“Most companies have done a tremendous amount of work to develop their data strategy, but can they keep it over time?” he said. “Organisations should worry less about fines – as these likely won’t be seen until the end of the year or early 2019.”

"Instead, they should be focusing on having solid incident response processes should a breach occur. The GDPR is widely regarded as the gold standard for privacy policy. As long as your organisation is working to building a model of privacy excellence, you’re going to be fine.”

Tools vendors have been coming to the party, with a number of GDPR data-compliance tools recently or poised to be released. MinerEye, for one, recently launched an AI-driven data identification tool that learns different types of business data over time. Adobe, for its part, announced that it has patented a technique for enforcing data export controls that stop consumer data being sent to destinations in potential violation of data privacy or data use agreements.

This sort of control will become increasingly important in helping data-driven companies meet customer expectations while preserving their privacy. “The more data organisations ask for, the higher the expectation of personalised services from customers,” Talend ANZ country manager Steve Singer said in a statement.

“Recent high-profile data breaches have undermined trust in financial services organisations, with consumers asking whether they are handling personal, sensitive data with a due sense of care and expertise. Understanding where data is and that it is managed correctly is not only fundamental to complying with GDPR, but also to providing the highly personalised and predictive services which the modern customer expects.”