We have interviewed representatives of the privacy industry, legal experts, technology specialists, the media and even regulators, and paired them up into a four-part series of eight interviews.
The first instalment was released this week, featuring Emma Martins, Data Protection Commissioner for Guernsey, and Omer Tene, the Chief Knowledge Officer at the International Association of Privacy Professionals.
The reception and interest in the series has been fantastic, possibly triggered by the contrast of this first pairing – the regulator versus the privacy industry.
Despite the perception that they may come at GDPR from wholly different stances, there was in fact a reassuring amount of consistency between the two. Both Emma and Omer agreed that those who have already made the effort to conform with existing data protection regulations will be in a strong position for GDPR observance. After all, both those regulatory frameworks and the GDPR are based on the same fundamental principles.
However, when it came to how companies are approaching the 25th May deadline, the two sides’ different perspectives showed. The regulator hopes that most companies want to do right by the people on whom they hold data – echoing the intention of the legislation. On the other hand, the view of the privacy professional is that many businesses prefer to wait to see how enforcement manifests before committing to any change.
Such a strategy is, of course, perilous. Many organisations, including the EU itself, are educating citizens in their data rights, increasing the likelihood of them identifying inappropriate usage of their personal information and reacting. This reaction may, in the worst case, be informing the regulator. More likely though is that they will vote with their feet. Lack of respect for personal data is becoming as damning to a customer experience as poor support or service fulfilment – perhaps more so.
As Emma said herself, this is where the Data Protection Officer (DPO) comes in. Businesses require a collaborative and constructive presence observing how data is used, manipulated, stored and purged, and representing the interests of the data subject in order to avoid unwelcome backlash.
Unfortunately, many companies are slow to appoint a DPO as they see the protection of data subjects’ personal information as obstructive to their companies’ activity. However, a well-appointed DPO can in fact be entirely additive to the business. We have repeatedly seen DPOs’ impacts reach far beyond the basic protection of personal data. Typically, their ongoing review of how data is used leads to marked improvements in process efficiency, accuracy, productivity, resilience and even brand strength. And this is by no means an exhaustive list.
The greatest DPO-driven benefits to a business typically come when the DPO is external. As with any outsourced scenario, the pool of expertise that can be brought to bear by a service provider is far greater than any single, time-constrained internal appointment. An external DPO also enjoys easier independence within the company than any employee, and usually wider and deeper access to the business’ executives – a crucial necessity that Emma Martins points out in her interview.
You can also access Omer and Emma’s interviews, and the rest of the GDPR Interview Series, here.