Monday 17 December 2018

We need to be on the ball for game-changing GDPR

In an era of industrialised data, the challenges are enormous and imminent

Karen O’Flaherty estimates that 28,000 data protection officers will be required across the European Union in the private and public sectors
Karen O’Flaherty estimates that 28,000 data protection officers will be required across the European Union in the private and public sectors

Karen O'Flaherty

New regulations mean we're all going to have to change how we think about data protection, and make no mistake, this one's a game changer for everyone. GDPR is an acronym currently being much talked about in business, but there isn't as much public awareness. It's an EU regulation, it's imminent and it's personal. It is also going to be critically important for companies and organisations.

The General Data Protection Regulation (GDPR) is the first major overhaul of EU data regulation since 1995. To put that in context, mass commercial access to text messaging began in 1998. So it's not just an update, it's a sea change. It's intended to bring data protection from an era when post and paper was still predominant, to today. It's a different world and it's going to have a big impact, perhaps on you, when implemented on May 25.

In Morgan McKinley we work to match professionals with companies around Ireland and around the world. In the economy of the future, it is people and their knowledge who are the essential asset. You, and we, are those people and we are already living in a different era.

GDPR brings new principles into force and puts new responsibilities on those who hold or deal with data. It's going to be a big responsibility for all concerned, including us. And it comes with big consequences. Fines of up to €20m or 4pc of worldwide turnover can be levied.

From May 25 a single new set of rules on data will apply across the EU. No more data than is necessary for the purpose it is used for may be collected. To obtain personal data fairly, you must give notice of the collection and its specific purpose. You can only retain data for as long as is necessary for that specified purpose. You must keep it safe and secure and an individual whose personal data is collected must be given a copy on request.

To enforce this, each member state will establish an independent Supervisory Authority (SA) and certain organisations will be expected to appoint a data protection officer (DPO). Data after all is "the new oil". It's the key driver of social media. It is increasingly the analytical basis of more and more major decisions commercially and in government.

To prepare ourselves and our client companies we have a 30-strong team globally. Preparing is about systems, it's about information and it's about cultural change in organisations. However, it would be naïve to think we have prepared for every eventuality. A feature of the new regime is that it is based on general principles. Specificity is not always clear. That's a frustration and a challenge. It underlines the importance, however, of preparation.

Morgan McKinley has partnered with the International Association of Privacy Professionals to support ourselves and to help us support and build a community of privacy professionals globally.

We have a dual role. One is to prepare immediately and then to help client companies further by supporting the demand for future talent, by providing professionals with an accredited qualification. This will help create the pool of talent employers can choose from. Data isn't just an essential basis for business; in future data protection will be a core function of managing business. Delivering on that requirement will be challenging.

There is a real shortage of trained, skilled personnel. We estimate that 24,000 private sector DPOs will be required across the EU, plus another 4,000 in the public sector.

Think of the data your utility company holds, plus the data every retailer has about you where you are part of a loyalty scheme. That's not to mention your LEAP card, your bank records or your social media and entertainment accounts. And that is just big data. There are personal documents such as CVs, and a wide range of correspondence that would routinely come into the possession of organisations. The GDPR principles outlined above will apply. It's a seismic move intended to reassert personal control over personal data. In an era where technology has industrialised the scale of data conveyed, processed and held, the challenge is enormous and imminent.

What is not intended by GDPR is to stop or to impede business. Some conversations around GDPR resemble apocalyptic fears somewhat like those of the Millennium Bug. With preparation, commitment and resources, this is all doable. It's a move-on from a bygone era to one where people understandably want to reassert rights, in an electronic lifestyle whose development has outpaced the outdated laws in place to govern it.

The key challenge is to put in place internally the accountability required to deal with data transparently. Organisations need policies, processes and in some case specific people to deal with data. It's about other people's rights and it's about your reputation. It's not an optional extra. It's a requirement.

There are a lot of resources for advice and support available. That's a key role we at Morgan McKinley intend to deliver on for our clients.

Karen O'Flaherty is chief operations officer of Irish-owned multinational recruitment company Morgan McKinley

Sunday Indo Business

Business Newsletter

Read the leading stories from the world of Business.

Also in Business