The GDPR journey should be more than just another compliance challenge. Tech leaders who see it as a strategic consideration will build reputation and competitive advantage.
It is not difficult to have sympathy for the chief information and chief security officers recently ejected from Equifax after the data breach of millions of citizens. Many of us may well be thinking, ‘There but for the grace of God…’
Just how the issues were reportedly handled by Equifax is a moot point. Few other senior decision makers outside tech have the same daily pressure and challenge of mitigating such risk on a global scale.
The potential human impact of data breaches is undoubtedly a public interest issue. So it’s understandable that GDPR legislation is being enacted across the EU. In the UK, every business must implement it by 25 May 2018, not long off given the potential complexity involved.
Working up to re-engineer and implement what you’ll need to do to comply might seem like yet another burden, an imposition on the real business of performance. And yet should we view GDPR as a driver to make a competitive virtue of greater transparency and trust with our customers and stakeholders?
GDPR competitive advantage
The government’s Cabinet-led cyber security strategy is to build competitive advantage for the UK. It wants us to be one of the safest and most secure places worldwide in which to trust and conduct commerce. This might be government thinking actually stealing a march on business. That is, if you consider the confidence-sapping effect of cyber breaches on the UK’s inward investment as similar to their proven effect on corporate investors.
Regulation becoming a driver of innovation and competitive advantage isn’t new. Health and safety legislation, for example, revolutionised working practices in the construction industry. It also led to product development and greater competition in the automotive industry and beyond.
We need to think about GDPR in the same way. Visionary tech leaders will be those who create precedent and make GDPR principles a badge of differentiation and trust. Who become champions of security and transparency to drive increased customer loyalty.
Those leaders will need to act fast. Customers will soon have control over their data and so active choice about who uses it and how.
The competitive advantage approach elevates GDPR beyond a technical or compliance exercise to a board reputation management issue and its risk register. And as Equifax has shown, CTOs might themselves see it as risk mitigation for their own reputations.
Anecdotal industry feedback about the Cabinet’s attitude to breaches is there will be little empathy for business, a ‘you’ve had two years to prepare’ attitude. The UK’s GDPR enforcement body, the Information Commissioner’s Office, is unlikely to care about the practical challenges of consolidating unstructured data across multiple systems at scale.
The regulator has indicated it might allow timely correction of breaches in the first six months. But it will also likely seek a high profile, high penalty example early on to stake its power firmly onto the business psyche.
Some might think liability insurance is a ready answer and provide protection against increased penalties: four percent of global turnover compared to the current maximum of £500k. How far will that protect against reputation damage or loss of trust?
60 days to change the narrative
There’s no doubt that GDPR presents some complex practical implementation issues. Much of that depends on the type of personal data a company holds about individuals. It also depends on how it’s used and the nature of supporting infrastructure across locations and business groups.
In future, GDPR will seem as commonplace to consumers as safety on construction sites or seatbelts in cars. With two months to go, now is the time to change the narrative of the GDPR effect and see it as the opportunity it truly is.
SCC wants to raise awareness of the diverse issues CTOs and their staff need to consider. For more information, visit: www.scc.com