GDPR Summary Part 3: Opportunities for Innovation from Regulation

This is Part 3 of a series of articles about how the General Data Protection Regulation affects corporate innovation. In this article we will examine how the GDPR regulation has the potential to drive innovation in the corporate environment. To recap what the GDPR is and what makes it significant, read Part 1 of the series here.

The General Data Protection Regulation (GDPR) is going into effect in less than three months, on May 25th, 2018.

Since the regulation impacts the way private citizens’ information is collected, stored and managed, companies have had to make operational adjustments in order to avoid both reputational damage and heavy fines come May 25th.

The limitations, designed to protect the privacy of individual EU citizens, address issues many companies have not placed a heavy emphasis on in the past. As a result, the GDPR has become a catalyst for innovation.

Below we will explore some of the GDPR regulations, how they impact enterprises, and how they can be turned into innovative opportunities.

Increasing Cyber Security

One of the driving factors for the implementation of the GDPR is the protection of personal data in an increasingly digital and data-centric era.

Today, data breaches are more common than ever, and until recently, companies were not obligated to divulge information about breaches. Because of this, individuals often did not know that their personal information was compromised.

The GDPR does not stipulate what cybersecurity precautions companies need to take, only that they need to comply with the regulation. Click To Tweet

Under the GDPR, companies will be obligated to notify the relevant authorities within 72 hours of becoming aware of a data breach. The need to make breaches known increases the potential reputational damage of companies experiencing data breaches.

In order to protect their customers’ data and their public reputation, companies will have to increase their preventative cyber security measures. But the GDPR does not stipulate what security precautions companies need to take, only that they need to comply with the regulation.

This leaves the door wide open for an increased wave of cybersecurity and personal data encryption innovation.

Consent for Data Capture

When the GDPR goes into effect, it will bring with it a critical change in the way companies request consent to collect and use people’s information.

Pre-GDPR this has most commonly been done through consent forms that explain how the information collected will be used. The problem with consent forms is that they are often difficult to find and even more difficult to understand.

Under the GDPR, enterprises that collect information about individual citizens must ensure that they have a consent form that is:

1. Clearly distinguishable (that is, not hidden in a lengthy document)
2. Easily accessible
3. Written in plain language that is easy to read and that explicitly states how the information will be used and for what purpose
4. Free and able to be withdrawn at any time

To help companies meet the GDPR regulation and ensure that individuals know how their personal data will be used, more and more Personal Data Service companies have risen, giving individuals more power over their personal data.

By integrating such tools into their systems, enterprises will be able to ensure they meet the consent laws while simultaneously heightening their credibility and trust among their clients.

Ensuring Erasure in a Digital Age

One of the things the GDPR seeks to do is give individuals rights over when their data is removed through the implementation of the Right to be Forgotten, or the Data Erasure right.

Once in effect, EU citizens will have the right to request that companies erase their personal information once there is no longer a reason to keep it.

The GDPR’s data storage limitation clause will further complicate things for enterprises. This part of the regulation states that companies will not be able to store personally identifying information any longer than necessary, regardless of whether the person requested that their information be erased.

The need to erase information when no longer needed or upon request poses a challenge for companies since many do not have the capability to quickly remove all personal data of an individual.

This will be particularly challenging for banks and financial institutions that need to retain information for a certain length of time prove the integrity of their balance sheets.

In addition to needing to find an innovative way to remove information in a timely manner from their own servers, under the GDPR companies will also need to do the same for information processed by third party providers.

Upon request to be erased, companies must ensure that information on their systems and the third-party providers who may have had access to those systems is removed.

Since many enterprises do not have built-in mechanisms that allow them to remove information when no longer needed, or to control the access their third-party vendors have, this regulation may bring with it a drastic change to enterprises’ internal systems.

To implement solutions that ensure GDPR compliance, many enterprises will find themselves in need of a system- or organization-wide upgrade. While this does pose a challenge, it is a change that is overdue for many companies and so is also a welcome innovation opportunity.

To implement solutions that ensure GDPR compliance, many enterprises will find themselves in need of a system- or organization-wide upgrade. Click To Tweet

Beyond improving enterprise systems, the accountability companies will have to assume for information processed by third party vendors may drive companies to reduce their reliance on them and develop proprietary solutions instead.

The Future of Data Privacy

As the GDPR launch date approaches, many enterprises will find themselves in need of a complete overhaul of their operations. From enhancing security capabilities to changing their entire infrastructure to meet the new regulation, the GDPR will bring with it an array of challenges for enterprises.

For companies who want to avoid reputational damage and the heavy fines that come with non-compliance, the GDPR can be viewed as an opportunity.

As the companies impacted by the GDPR begin changing their operations, the way they store information, their security precautions and their attitude toward individual privacy rights, they will move their companies one step closer to the future.