GDPR for dummies

It’s been clear for some time that data laws need to change and will be changing — but quite often the terms in which this is discussed is vague, sensationalist or highly technical. We’ve created a simple guide for those who want to know more about what the new regulation is, and what its impact is likely to be.
Kirsty Bell

Kirsty Bell

Kirsty steers many of Nile’s key relationships, and has consulted on topics from transformation and people & change, to operating models and their fitness for the future.

What is GDPR?

On 25 May 2018, the General Data Protection Regulation (GDPR) will be enforced across Europe, including the UK. The law aims to give citizens more control over their data and to create a uniformity of rules to enforce across the continent.

Why should businesses care about GDPR?

Although this law comes from the EU, it will have a global impact. It will affect any business holding personal data on customers, prospects or employees based within the EU, and such businesses need to be preparing for the change now. If businesses ignore this law, they can be fined up to €20m or 4% of their global annual turnover.

Giant fines aside, it’s worth remembering that data protection is more than a compliance issue. Customers care about their privacy and expect businesses to respect that. It’s good business sense to demonstrate that you ‘get’ this cultural aspect, as well as the financial one.

What are the new rules?

The rules are very complex, but our advice is not to be overwhelmed by them or to see the GDPR as your enemy. If you build the rules into your organisational culture rather than being tyrannised by them then they will help you manage data more effectively, internally and externally.

The rules can be seen as following 6 themes (as outlined in the infographic here)

  1. Know what you have, and why you have it
  2. Manage data in a structured way
  3. Know who is responsible for it
  4. Encrypt what you wouldn’t want to be disclosed
  5. Design a security aware culture
  6. Be prepared — expect the best but prepare for the worst

What is the impact on businesses?

The impact for businesses will undoubtedly be huge. The new rules will require businesses large and small across the globe to transform their policies, structure and personnel to ensure compliance and adherence. Data protection and security has to be built into the fabric of organisations rather than farmed out or siloed. So while your security and compliance people should be very concerned with getting the detail right, every other colleague should care about and be aware of the principles, at every level and in every discipline.

However, as noted above, if businesses and organisations see this as an opportunity to represent themselves to their customers and target audiences as more responsible and empathetic on the topic of data this can not be a bad thing. This will be particularly true if it enables stronger relationship building because it potentially offers the basis for more equality and trust between businesses and their customers.

What does it mean for the consumer?

While many consumers may not be aware of the change, many will begin to notice some differences in how businesses and organisations communicate with them. Privacy notices will be more transparent, consumer rights will be upheld and publicised, and news about data breaches will travel faster and be harder to cover up. It may seem to some consumers that data is less secure after the change simply because the volume of news on it will increase. While they may be concerned about this, they will also be reassured by the sizeable fines for unscrupulous and sloppy data management.

The Nile view

Our view is that, in addition to making sure the results of the regulation improve customer experience, this is a great opportunity for businesses and organisations to think about how they develop data protection into a lifestyle, how it is embedded into their day-to-day culture. This is the ideal time to review employees’ attitudes and understanding of data protection and identify insight that will help organisations create strategies and plan for a smooth transition to the new structures and processes necessary for effective adherence to the GDPR.

Nile work with blue chip companies on transformation and adoption programmes like this, injecting the necessary insight from the employee level to ensure successful changes to the way organisations work. Talk to us about how we can help your business get ready for GDPR.

In the meantime, here’s some further reading. We found the following resources and articles helpful in preparing this piece: