The year 2018 witnessed one of the most revolutionary regulations in the last 20 years of data protection — the implementation of the General Data Protection Regulation (GDPR) in the European Union. In fact, within the last year, including GDPR, there have been around 100 new data protection laws enacted in countries around the world, and for many, this is a first-time law.
The new regulations, in essence, give data the same supremacy as oil, defining it as an important asset to be held and dealt with far more cautiously. The new legislation is not only anticipated to be instrumental in reshaping the way in which data is handled across every sector — from healthcare to travel to banking and beyond — but also provides a baseline for drafting data protection guidelines the world over.
The new breed of privacy professional
With the introduction of stringent data protection laws in many countries, companies across the world are focusing on taking steps to embed privacy as part of the organisation’s strategy. With this comes the realisation that a sound data privacy management framework is critical for the reputation of the company / brand and can also directly impact the bottom-line in a positive way.
From an operational point of view, the reality is that many companies are still grappling with how to ensure compliance with the new regulations within existing frameworks. Clearly, it is an uphill task for most.
It is not surprising that a new trend we are seeing is the moving of privacy out of the purview of the legal and the Information Security teams, and creating a new role of the privacy professional. Indeed, privacy and data protection management is already becoming a new profession in its own right.
Usually, individuals best suited for this role have a background in IT security, good knowledge of the business lines, and who have become legally trained in the data protection legislation that applies to the organisation’s theatre of operations.
This has also created an educational space for companies and for people to start up-skilling themselves in this area. This is just the start as we will see sub-specialities of privacy professional developing especially in the realm of AI and machine learning.
Increased infrastructure and investment
Organisations are allocating more resources in creating a robust data protection framework that ensures radical changes in the way data is managed.
2019 will see businesses of all sizes streamlining their operations to accommodate the new legislation to avoid, detect and recover from a data breach.
A lawful basis is everything
One of the major impacts of the implementation of GDPR is that it compels businesses to demonstrate a ‘lawful basis’ for processing a set of personal data. Unlike earlier, when regulations were less robust, companies held all kinds of data for indeterminate periods of time. Now organisations will have to take into account, firstly, the purpose for which they are collecting personal data, and secondly, the extent of the data collected.
This means that data can no longer be stored after the purpose is served, or use for another purpose such as marketing.
Also, social media posts, location, biometrics, IP addresses, etc. are handled in the same manner and with equal importance, as dictated by GDPR. If organisations aren’t able to identify a lawful basis to hold data, they will have to let go of the data in order to remain compliant.
Multi-layered approach replaces fallible methods
Naturally, no organisation wants to experience a data breach as it brings with it the loss of trust and even revenue for a company. However, it is, unfortunately, an inevitable risk that an organisation has to account for. Hopefully, when it occurs it is only minor in nature. In order to limit reputational and financial loss that a data breach can cause, the coming year will see industries and organisations replacing scattered methods of data protection with methods that will reduce the impact of a data breach.
At the moment, industries are standing at the threshold of a data revolution. While past regulations have changed the course of the journey and conversations around the importance of data protection, future regulations will only add to the various methods of implementation.
In India particularly, data protection legislation will provide a springboard to the Indian outsourcing and data processing industry as it will make it easier for other countries with similar regulations to exchange data with India. As similar regulation gets increasingly implemented globally, it will hold most organisations to the same high standards of data management, and put the control of data back in the hands of the individual – where it belongs.