mixmagic - stock.adobe.com

GDPR compliance benefits emerge a year and a half later

While some may see GDPR as a set of restrictions, it can improve business practices. Learn more about the GDPR compliance benefits.

Enterprises around the world have had to reassess how they collect, process and store personal data over the past year and half thanks to GDPR.

The landmark data protection and privacy regulation outlines that personal data, which it defines as names and online identifiers, such as IP addresses, as well as location, physical attributes, health, economic or social information, be collected for explicit and legitimate purposes and limited to the amount necessary for the purpose of its collection. In addition, data must be processed transparently and stored in a format that cannot identify the subject -- with the exception that identification is necessary for its stated collection.

The effects of the law, which applies to all organizations that do business with or employ individuals from the EU, have been felt by executives worldwide, many of whom have had to review or update their company's data retention and deletion policies. And, while GDPR has caused many organizations to experience growing pains since its May 2018 enactment, its security and privacy benefits cannot be understated.

Correlation between compliance and improved security

Results from a Cisco survey indicated GDPR-compliant organizations are safer from breaches than noncompliant organizations: The percentage of GDPR-ready organizations affected by data breaches was 74% in 2018, compared to 89% of non-GDPR-ready companies. In addition, fewer records were affected, system downtime was shorter and monetary costs were lower in GDPR-ready organizations.

With data breach consequences ranging from fines to lost clients to public relations disasters, there are many reasons for businesses to focus on and prioritize GDPR compliance.

Many GDPR components can only help an organization's security posture. For example, mandates surrounding privileged access management, which audits user access to critical data, reduce the chances that high-risk privileged accounts become compromised. GDPR's 72-hour breach notification is also a considerable deterrent because it criminalizes cover-ups to force accountability. Additionally, GDPR mandates institutions that handle large amounts of sensitive data employ a data protection officer who is responsible for enforcing GDPR compliance along with the general data protection strategy of the organization.

GDPR defines personal data to include name, health information, location and more.
The GDPR definition of personal data

Using GDPR to organize and simplify operations

GDPR requires organizations to self-assess and organize to get data in order. To be compliant, businesses must review what data they have, where it is stored and under what security conditions it can be accessed. Note that it is not enough to map out how one's own organization handles personal data; business leaders must also investigate how third-party suppliers handle and use data.

While companies may be overwhelmed by the process of auditing their data retention policies and those of their third-party supply chain, conducting data inventory assessments puts them in a better position to identify details about what data is where in the event of a security incident. In addition, an organization may come across issues, such as privileged access, that require auditing in order to improve security that may not have been considered outside of the efforts to organize and comply with GDPR.

Another GDPR compliance benefit is the way it legislates simplification. A GDPR-compliant organization must be familiar with the ins and outs of its data retention and whereabouts -- this can simplify threat detection and response. It also makes it possible to respond to data subject requests -- a GDPR mandate stating a data subject has the right to at any time obtain information from the data controller as to whether it has information on the subject, what information that is and where it is stored. In a report from the International Association of Privacy Professionals in 2019, 73% of organizations have undertaken data deletion efforts due to GDPR.

The core principle of GDPR is that personal data cannot be held longer than needed for the purpose it was collected. Consider how, prior to the GDPR start date, businesses began to improve their data governance policies in anticipation of its implementation in 2018. This commonsense principle of limiting personal data collection helps companies simplify operations by reducing the amount of data storage required. Purging data can also be a cost-cutting practice for organizations, as secure data storage is often a large expense.

Marketing trust to a privacy-literate public

GDPR has brought customer privacy and trust into mainstream conversation. This gives GDPR-compliant businesses the opportunity to message their brand to customers, employees and the general public as trustworthy and transparent. For example, EasyJet produced a video to creatively inform its audience about its privacy policy in an accessible way -- one which yielded some positive response online.

GDPR compliance benefits businesses by requiring them to perform data protection impact assessments (DPIAs), which many legal experts consider the most important component of the regulation. These self-assessments were designed to help organizations understand how their data processing and procedures impact customer privacy. By completing DPIAs, businesses can identify and mitigate aspects of their data collection and handling processes that could potentially violate GDPR policies.

DPIAs and self-evaluation of risk readiness can be communicated to the public as a proactive measure to protecting personal data. Businesses that have suffered a data breach understand they are not always treated as victims in the news -- the media and public criticism take a huge toll on their reputations. Organizations that market themselves as proactive and prove they've done their due diligence can go a long way in the eyes of a public hungry for an institution that promises to take their data privacy seriously.

Business leaders would be smart to advertise their GDPR compliance -- even if they are not subject to the regulation -- to target European clients and prove they take privacy seriously.

In addition, American-based companies that employ this strategy only serve to benefit as privacy regulation efforts in the U.S., such as the California Consumer Privacy Act, ramp up.

Dig Deeper on Risk management and governance