Businesses and professional services providers are busy getting to grips with the implications of the General Data Protection Regulation (GDPR) - and the new framework it provides.
It’s easy to view compliance as a purely internal matter; essentially a process of joining the dots to keep on the right side of the regulator. But this mindset misses the whole purpose of the new data regime: to increase consumer confidence in the digital marketplace - i.e. to enable your clients to share their data with you, safe in the knowledge that it will be safe.
So what are you doing in concrete terms to build that all-important client confidence? Here are some areas to focus on…
Position yourself as a ‘data security champion’
You’ve probably already heard about the new reporting requirement ushered in by the regime: i.e. data breaches causing loss or compromise of personal data need to be reported to the ICO within 72 hours of awareness.
So, instead of relying on ad-hoc data releases from industry insiders, for the first time there will be reliable Europe-wide statistics giving the full picture on the number and nature of security breaches. Expect the ICO to release these figures - and expect data security to become a hot topic.
It means that specialist areas such as encryption, multi-factor authentication and insider threat protection - i.e. things that were previously only in the minds of you and your IT manager - will, in all likelihood, appear on the radar of your clients.
“How seriously does this firm take security?” “What exactly do they do to keep my data safe? Far from being peripheral concerns, these types of questions are likely to drive buying decisions like never before.
This has clear implications for positioning. It becomes necessary not just to be a security-conscious organisation, but to show your clients that you take it seriously - and adjust your marketing pitch accordingly.
Avoiding a bad rep
Clients are likely to become more aware than ever of data security statistics. And of course, it becomes even more of a priority to try and avoid your organisation becoming part of those statistics.
A breach doesn’t trigger a fine; but the circumstances surrounding it might well do. Adverse findings against individual firms will be in the public domain. Now’s the time for liaising closely with your IT services partners with a view to bolstering your threat barriers and improving visibility across your IT estate. Your aims here are twofold: to reduce the chances of a breach in the first place, and enhancing your ability to give a good explanation to the ICO if you find yourself in the position of having to report to them.
Avoiding a cloak and dagger approach to clients’ data rights
In areas such as the right to erasure of data, the right to receive a copy of the data and informed consent, GDPR is designed to make it as easy as possible for consumers to exercise their rights.
From a reputational point of view, this is definitely a concept businesses should embrace. Making your clients jump through hoops to get the information they request - or subject them to needless delay - and this is a sure-fire way to make them distrust you.
Right now, you should be in the process of updating your internal procedures (e.g. through standard format response letters) to make it as easy as possible for those rights to be exercised.
Above all, remember that you are not alone in formulating your GDPR response. Look for external help now to avoid being tied up with compliance and reputational issues further down the line.