The new EU privacy is upon us
Summary of the GDPR Grab n' Go 28.9.2017
We held a Grab n' Go breakfast seminar at Deloitte in Helsinki on 28 September, 2017 on the theme of EU's new General Data Protection Regulation (GDPR). It comes with new obligations and significant financial and reputational penalties, but also great opportunities. We heard interactively what people leading their organizations’ GDPR programs think of the subject and below you can see the key messages of our eminent GDPR speakers.
The GDPR is not a one-off exercise, but something ongoing which requires continuous effort.
The new regulation brings several changes to the current European privacy legislation. These include, for example
- the global reach,
- the Accountability and Privacy by Design principles, and
- the new requirements for data portability and breach notification.
According to Deloitte's Privacy Leader Hannu Kasanen the biggest mind shift comes with the Accountability principle; from May 2018 onwards organizations don't only need to comply with the regulation, but also be able to demonstrate their compliance. This requires more systematic documentation and records keeping. And while well-documented plans and processes are required, they also need to be put into action across the organization.
When it comes to putting the regulation into action, Hannu emphasizes that the legal perspective alone is not enough; the GDPR requires changes to governance models, processes, and technology. Moreover, companies should pay more attention to communications. "Customers must never be surprised by the processing of their personal data", Hannu reminded.
Hannu Kasanen, Director & Privacy Leader, Deloitte Risk Advisory Finland
The GDPR is like an airplane, so please fasten your seat belts. You will be likely to face some turbulence. But it will bring you to a new starting point for your (personal data) journey and will offer a world of opportunities. It’s time to take off in order to ‘arrive’ before May 2018!
Even though the requirements of the GDPR are significant, so are the possible consequences. In addition to the sanctions, the brand impact could be huge in case of non-compliance, as the customers are increasingly aware of their rights and privacy, and want to be sure their data is handled well. Privacy is not only a regulatory matter, but also an ethical question, which attracts a lot of attention and makes it also a communicational matter.
But, as Deloitte Risk Advisory Partner Annika Sponselee explained, this comes with a positive edge: as organizations are required to change the way they operate, they can utilize the chance to look even further. The GDPR does not state what you can do with the data, but sets the requirements for how to do it. No matter what the scope of your program will be, Annika emphasizes that you need to really take that into action - or as she defined it: "It needs to become the DNA of your organization."
Annika Sponselee, Partner, Deloitte Risk Advisory Netherlands
Data should be seen as a business asset. We need to understand how to exploit and maximize the return on data.
Companies invest a significant amount every year on systems to collect data. So data has to be seen as something that needs to get return on. It’s also essential to understand how to maximize the value of the business by increasing the return on data assets.
Karthi Pillay sees the GDPR as one pillar of data – the ability to keep it safe, secure and private. If the company doesn’t have a data strategy yet, it needs to have one right now. The GDPR sets a deadline and gives a push to speed up the data strategy process. “We need to get closer to customers, universities and competitors – our ecosystem changes and the data will change too. Things you never considered to be private will become private. Once you have developed your data strategy and are able to see the GDPR as a bigger picture; you have come a long way”, concludes Karthi.
Karthi Pillay, Advisory and Cyber Lead Partner, Deloitte Finland