We live in an internet-connected world today where companies have relatively easy access to their customers’ personal data. This can be attributed to, among a variety of other things, the shift in customer norms where people are not as skeptical of companies possessing their personal data – as long as there is a form of legal guarantee or data privacy protections in place. Governments all across the globe have been working to implement laws that will govern how companies handle data privacy, and this legal framework helps ensure that events such as data breaches are promptly reported to the relevant oversight bodies. The General Data Protection Regulation (GDPR) is an example of such a law that centers around Europe’s digital privacy.

I first learned of GDPR when working on a Customer Relationship Management (CRM) software overhaul project back in 2018 right before the new law was enforced by the European Union (EU) parliament. GDPR is a new set of rules designed to give EU citizens more control over their personal data, and aims to simplify the regulatory environment for business so both citizens and businesses in the EU can fully benefit from the digital economy (Palmer, 2019). Unfortunately, data breaches affect lots of companies each day and results in data ending up in the wrong hands. GDPR essentially ensures that companies collect data legally and by adhering to the set guidelines, and also compels them to ensure strict protection of data, or face fines of up to €20MM or 4% of annual global revenue (Nadeau, 2019).

GDPR applies to any company that handles, stores, and protects data belonging to an EU citizen, regardless if they are an EU Member State. One main example of the application of this law in the US is how companies will only be allowed to process and store data when an individual consents to the data being stored for any duration longer than the purpose for which it was collected. Another big GDPR requirement that may affect American companies is the “right to be forgotten”, a rule which gives EU citizens the power to demand data about them be deleted by the companies withholding such data in their databases (Kelion, 2019). Although EU citizens have a right to request organizations to delete their personal data, there may be situations in which the organizations won’t be able to do that (Proton Technologies AG, 2019). An example of this would be personal data that falls under HIPPA laws, which bear a mandatory archiving period before they can be deleted.

CIOs, CTOs and Compliance departments must continuously ensure that they have strict consent data management regulations in place within their companies so they don’t suffer from data loss through breaches or unwarranted access that could lead to data misuse. Companies understand that they will have significantly more legal liability in the event of data breaches as per the GDPR requirements, and it is crucial for IT leaders in organizations to ensure that the policies and technologies they put in place to support data privacy are watertight. This can be fulfilled by performing regular risk assessments such as reviewing the types of data a company stores on EU citizens to understand the risks around them. Additionally, companies can maintain a data privacy and protection plan, and ensure that their employees are fully educated on how to handle sensitive customer data in ways that will not be in violation of the GDPR law.

It is therefore important to continuously educate ourselves on better data governance principles as companies begin to rely more on data analytics to gain a competitive advantage in their respective industries. A company that strives to improve its business model around data privacy will consequently boost consumer confidence in their abilities to manage and store personal data, and this could eventually translate into more business. 

Published by

Fred Obiero