Despite their positive intentions, legislators and regulators have posed major problems for corporate counsel by failing to foresee the enormity of the task of audit-able compliance, both within the public and private sectors.
So if anything,as we approach two years is a timely opportunity to reflect on whether or not guidance from legal practitioners – in-house or external – has been capable of execution.
GDPR policy direction and regulatory enforcement
Compliance: The story so far the good and the not so good
In practical terms, the private sector has largely taken the GDPR seriously, providing direction on active and demonstrable consent to retail customers. Anecdotal evidence has also suggested that the “privacy by design” concept is being respected when it comes to integrating compliance features into new products and services. In one instance, a global UK-headquartered bank CDO has made sure that anonymisation is in place when analysing its Personal Data to improve its wealth management products and services.
Yet, surprisingly large institutions, especially the insurance and recruitment sectors, are still at an mid stage of data discovery. This includes identifying precisely where, and in what form and volume, Personal Data lies across their legacy data landscape. As a result, such discovery should be urged by legal counsel, along with a gap analysis on their processes and technology – at least to provide an in-flight road map for remediation.
Beyond sanctions: The business benefits of successful compliance
While defending against fines and reputational damage is undoubtedly front of mind for the private sector, there are several positive up-sides to effective GDPR compliance – all worth the attention of legal practitioners.
- Promoting GDPR compliance to improve operational efficiency
Deletion of unwarranted Personal Data retention has led to two major UK insurers to pro-actively down-size the “dark data” they hold, representing on average in excess of 30 per cent of all information held by corporate. This has resulted in reduced back-up and data storage costs and, in turn, increased ROI. Simultaneously, they have effectively cleansed data in anticipation of executing digital transformation initiatives.
- Using GDPR as a benchmark for better due diligence during M&A
This can be applied both from the point of view of a subsidiary sale, as well as the data discovery necessary on a subsidiary purchase.
- Provisional linkage of data in all formats for revenue gains
By ensuring compliance, organisations have the ability not only to facilitate replies to a Subject Access Request, but also achieve greater goals from compliant data mining and value extraction – ultimately leading to enhanced revenues.
The GDPR ambiguity
For legal counsel, the GDPR has sparked a host of complex issues from both the regulatory enforcement and policy guidance side. However, for the perceptive the regulation has, somewhat paradoxically, provided a key opportunity for executing key business goals and driving a competitive edge
Legal Counsel and internal compliance teams need a full 360 view of GDPR and promote the benefits of the regulation.