On May 25, 2018, the European Union (EU) General Data Protection Regulation (GDPR) becomes enforceable across the member states. It is intended to strengthen and unify data protection for all individuals within the union as well as addressing the export of personal data outside the EU.
While the regulation is primarily focused on business operating in Europe, it does not only affect European companies. Any organization that does business or operates in Europe, will be subject to GDPR and this includes companies located in Singapore that conduct business in Europe, or with European companies.
With only a few weeks left before GDPR comes into force, are Singapore companies lacking in preparations for the new regulatory environment? According to a survey from EY this appears to be the case. The survey seems to confirm the city-state’s lack of preparation with a majority of companies in Singapore stating that data protection and data privacy compliance is a growing concern, yet only 10% have a plan in place for GDPR.
Despite the current tone of conversations around GDPR on how it will impact businesses and the threat of big fines for regulatory breach, there is actually an upside if you take a step back. Here are a few of the hidden benefits that business and IT leaders should be aware of as they develop their GDPR compliance strategies:
A natural consequence of the GDPR compliance is that companies need to show they have a full knowledge of what type of data they have and where it is stored. As organisations take steps to comply with new legislation, they may be required to perform a ‘spring clean’ of their data, which can in turn boost operational efficiency.
CIO’s are also leveraging GDPR as an opportunity to make the case for increasing investments in infrastructure innovation that will enable cleansing and improvement of data cycle management as well as security.
There are already examples of businesses reaping the rewards of moving towards GDPR compliance. For example, for large insurance companies with multiple business lines, ‘forgetting’ a customer is not a simple task. If a client asks to be removed from a database, a company must include multiplefiles and formats – such as security footage and audio files of a customer talking to a call centre. This is in addition to the fact that most firms hold a lot of ROT (redundant, obsolete, trivial) information about their clients and staff. Companies can turn this potentially complex area of compliance into a positive for the business, by reducing the size of its data lake to make information easier to find. This immediately cuts costs for the firm.
Revenue generation is another benefit that can be offered by GDPR compliance. Getting it right can make a business stand out in a crowded market. Once assessed and approved, organisations can simply put a “GDPR effective” stamp on its website. It’s a positive way to tell employees or customers that you really value them and take them seriously, and as a result increase brand loyalty and possibly attracting new customers.
Once companies get their data in order, they will be able to gain insights into a different kind of information and then mine it. This will reveal valuable, strategic information about what customers actually want.
Take the major national airport authority in Europe as an example. As it moved towards GDPR compliance, the airport purchased new technology to protect itself, so it could handle more data. But it also rented the technology out to small airlines within the airport, creating an additional revenue stream.
Safeguarding brand reputation
The risk of GDPR fines doesn’t only lie in the large sums of money companies will need to pay. Once the lack of security is exposed, companies risk lasting damage to their brand. The bad press on severe non-compliance might directly result in loss of current customers and lack of trust among prospects. With massive data breaches, including Malaysian telco data leak or Uber data breach in Singapore, the way organisations collect and use data is increasingly coming under scrutiny. With legislation catching up with technology innovations and growing privacy concerns among consumers why would any company take the risks?
Ultimately, the GDPR should be seen as an opportunity for businesses to differentiate themselves, rather than just as a threat to be managed. But it is also important to note that no business is perfect. The reality is that the majority of businesses will not be 100 percent GDPR-ready on 25th of May when the legislation comes into force.
Preparing for the GDPR, is a multi-step process that starts with an assessment of what personal data you collect and where it is stored. This can identify not only issues with GDPR compliance, but also other jurisdictions where data privacy laws may apply. For example, China, Japan and Qatar have recently enacted new laws/revisions that may impact your data. Companies in Singapore should look at GDPR in bite-sized chunks and prioritise accordingly.
Michael Waring, General Manager, Southeast Asia and Korea, Micro Focus