Up until now, almost all of the coverage of the General Data Protection Regulation (GDPR) has focused on compliance and the penalties which can be levied for breaches. Scare stories have abounded in relation to both compliance costs and the potential for unwitting infractions to undermine the very viability of enterprises.
This is nothing new. We have been here before after all. Much the same naysayers were in attendance to greet the introduction of new standards of health and safety back in the 1990s. Before that again we were told that the introduction of Total Quality Management systems would place an impossible cost burden on small and medium sized enterprises.
None of the admonishing turned out to be correct. Instead, business and society benefited from higher standards, reduced costs, better value, enhanced competitiveness, and improved safety standards. And the same can be true of GDPR with compliance opening up a range of new opportunities for organisations.
This is the view of Microsoft Ireland Business Group lead, Shirley Finnerty. "Data is now the lifeblood of an organisation and we are seeing an explosion of data at present," she says.
“Ninety per cent of the world’s internet data was generated in the last two years,” Finnerty adds. “This exponential growth in the volume of data we generate – coupled with technology that can extract actionable, predictive insights from it – is empowering companies to offer more personalised experiences to customers, achieve unprecedented efficiencies, and bring new products and services to market faster than ever.”
It is also presenting mounting security challenges. There was a 26 per cent increase in security breaches in Ireland in 2017, according to the Office of The Data Protection Commissioner (ODPC). The most common types of breaches reported were inappropriate handling of personal data, loss of data held on devices such as USB keys and paper files, and network security compromises such as hacking and malware.
“The ODPC mentioned several factors that contributed to these breaches, including a lack of staff training, slowness to patch devices, poor password policies, and failure to update antivirus software,” Finnerty notes. “In this light, it makes sense to introduce a more robust framework for data protection.”
For Microsoft, the journey to GDPR compliance involved four key steps. “The first step is to discover what data your company has and how it is used,” Finnerty explains. “Then you have to establish processes to govern who manages this data. After that, you need to make sure it’s protected. Finally, you need to ensure you can offer transparent, clear reporting on how your customers’ data is treated should regulators require it.”
And it is this process, in itself, which is generating new opportunities for business, according to Finnerty. “Organisations need to focus on the benefits of being compliant,” she says. “These steps will help you manage data better and create new opportunities. In the first instance, organisations may decide to move data to the cloud. Data becomes much easier to manage if it is all in one place. It enables you to access, manage and process more data and gain greater insights from it.”
The problem faced by many organisations in this regard is the lack of structure or consistency in relation to data storage. “Lots of organisations have data on premise, they also have paper documents in filing cabinets and so on. Managing all that is a challenge, particularly when you are trying to apply a single policy across all of it. Moving to the cloud makes it much easier and more secure and that also presents an opportunity to build up trust with your customers.”
Mayo County Council is one organisation which is already seeing the benefits of moving to the cloud. The council is the lead authority in the western region for climate action and this requires collaborative work from staff in a number of counties along the Irish Western Seaboard. By introducing Microsoft Teams online, personnel at various locations can securely share files and participate in virtual meetings via Skype for Business as part of their work to develop climate change strategies and assist in their moves to meet the demand of GDPR.
"Good records and document management play an important role in GDPR compliance," says Liam Hanrahan, acting director of services for communications, IS and corporate development at Mayo County Council. "File sharing in the cloud avoids unnecessary duplication. The amount of storage you can lose simply by keeping copies of everything is significant."
The compliance process can also help foster a digital culture. “It is vitally important that GDPR compliance goes right across the organisation”, says Finnerty. “It’s not just a management issue. All employees must be brought along that journey as well. That will help create a data driven culture in the organisation.”
Innovation is another benefit. “The ability to process more data offers greater opportunities for innovation. Your business gains more insights, becomes more measurable, and stays one step ahead of competitors. IT staff who have previously spent lots of time on low value, mundane tasks like password management can be freed up to be more innovative, and potentially more engaged. From complying to competing, companies that are using GDPR as a valuable milestone to drive business transformation will emerge with a significant advantage.”