Posted April 13, 2018 by Ruaraidh Thomas
The following originally appeared on Professional Adviser, Ruaraidh Thomas: Why organisations need GDPR," published March 8, 2018 [subscription required]. Used with permission.
On 25 May this year, the EU General Data Protection Regulation (GDPR) comes into force giving firms just six more months to comply with new regulation.
GDPR aims to bring the EU Data Protection Directive of 1995 up to date with the current world of data, and ever-changing landscape of data usage.
Recent significant data breaches show an evidential need for GDPR and serve only to remind us that organisations must take the security of their data extremely seriously.
If we look back to July and the Equifax data breach circa 700,000 people in the UK alone were exposed, compromising an enormous amount of highly sensitive personal data.
Predictably once the breach was exposed the organisation experienced high levels of reputational damage with their consumers losing a massive amount of trust and confidence, evident by the 34% drop in share price in the week or so thereafter.
Interestingly, in this case, Equifax seems to be part of a group of organisations who will ultimately recover (and have) from events such as these.
Certainly, in Equifax's case, there will always be a requirement for consumer credit reporting. The distraction, cost and resource required to manage such a negative situation should not though be under-estimated today, let alone in the new world of GDPR.
Cost Of Non-Compliance
Moving forward and under GDPR, the monetary cost to the business should they not comply with regulation will be substantial enough, that organisations may not be able to rely on market recovery.
GDPR will require organisations to protect their customers to a much greater degree and follow specific processes to ensure this.
Consequently, organisations should not only focus on ensuring that they comply with GDPR, but also look to understand how they are able to create value through compliance and leverage the regulation as a point of learning to drive operational and brand enhancing benefits.
Indeed, if a firm is investing in becoming compliant, it has an opportunity to gain the best returns in the form of benefits and outcomes beyond simply becoming (and remaining) compliant.
A business will likely need to invest in people, infrastructure, systems, processes and governance to ensure compliance and so can also take full advantage of using GDPR as an opportunity to help more than mitigate this investment.
Once a company has the correct governance and infrastructure in place, as required by GDPR, the data it holds will be of greater quality allowing for the use of analytics to create revenue building opportunities.
Starting with an understanding of what the data actually is, a firm can then use business intelligence and data visualisation to empower their employees to report on the data that is stored through the right systems, processes and infrastructure.
Employees will then benefit and understand the power of the data they hold by using intuitive and engaging dashboard tools, allowing them to self-service, or use statistical analysis teams, to predict behaviours and outcomes in a multitude of ways.
The resulting significantly superior insights a business will have through using analytics in turn, will increase the efficiency of the business and the effectivity of its activities, allowing it to generate more revenue.
In six months and beyond we will start to ascertain which organisations have embraced the GDPR as an opportunity to bring around a competitive advantage and those which complied only to avoid a financial penalty.
The former will be at a greater competitive advantage and in a well-placed position to compete successfully for an increased market share while the latter, will be at a significant disadvantage, potentially losing customers to those companies who are better at fulfilling their customer's needs.
The views expressed in this publication are solely those of the author and do not necessarily reflect the position or policy of DST Systems, Inc. or its affiliates, subsidiaries, joint ventures, officers, directors, or management.