GDPR - the General Data Protection Regulation - is the next wave of personal data privacy regulation from the EU and is expected to go live mid 2018, i.e. pre-Brexit. This generally tightens up privacy requirements in a number of areas and has been a theme of discussion at a number of Cyber Security events this year, including today's InfoSecurity Magazine event.
Anyone interested in "Things Digital" should ask themselves, will this act as a regulatory defensive wall for old fashioned Bricks and Mortar / Industrial Age companies to shelter behind, or is it a new discipline or challenge for digital Vikings to embrace?
A couple of today's speakers made some interesting observations and comments:
- GDPR means that you need to know the What, Where and Why of Personal Data, especially customer data;
- Regulation should not drive data security, Security Should Drive Regulatory Compliance;
- There is a strong case for Digital Companies to adopt Social Digital Responsibility as Part of their Brand.
In a way, it should be easier for purely Digital companies to do this, as they are mostly starting from scratch with few of the problems of IT Estate Sprawl that many established companies have, with legacy systems, infrastructure and the typical complications inherited from previous defunct strategies as well as mergers and acquisitions.
Also, in a previous blog, I mentioned that many digital companies actually regard this data as part of their IPR. So addressing GDPR (& other jurisdictional requirements) should be core to their business activity. Although future approaches toward collection and explicit consent may have to be sharpened up to meet the new requirements.
The implication is that Digital company that plans and builds Privacy Protection in from Day 1, will actually be building its own competitive advantage over traditional companies who mainly will be playing catch up.