The GDPR - A Blessing in Disguise?

By Priya E. Abraham

Digital transformation and privacy are inextricably linked. The former encompasses much more than technology; it's a process and mindset, where the right mindset affects our business outcome. For example, in the minds of many businesses, implementing data privacy regulations – in particular the General Data Protection Regulation (GDPR) set to take effect as of May 25, 2018 – simply consists of boxes their customers must check before using their services. These same businesses are compelled to spend $7.8 billion in the next year on GDPR compliance, and many view the new EU regulation as a hostile threat to European business prosperity.
​

"We're all going to have to change how we think about data protection." 
Elizabeth Denham, UK Information Commissioner at the ICO

But these same businesses have an opportunity to do so much more than simply meet GDPR compliance. It is an opportunity to become a leader in embracing a new culture and mindset by adopting new practices that pave the road to greater innovation. At the same time, these new innovative practices will allow for greater security and resilience. Those who originally feared the GDPR will soon realise that the regulations will drive more growth in the digital economy, rather than less.  

Moving Beyond the Tick-Box Compliance

To embrace this mindset, organisations must move beyond tick-box compliance with regards to data privacy and replace it with a culture of understanding and accountability. This new culture puts the protection and proper handling of information – specifically personal data –  at the heart of their business processes.

​That means fostering environments where employees actively protect customer data and rights to privacy at every point in the value chain. Although the strengthening of data privacy and information security throughout your organisation will require more effort, the results will be seen in new business opportunities and reduced security risks.

When examining the GDPR from a broader perspective, its essence lies in understanding and improving business and management practices and core business processes. Along with this is the ability to identify the assets of an organisation and its risk posture, closely linking it with other good business practices such as quality management, risk management or information (security) management.   

A Holistic Approach to Privacy

What is the best way to establish this new type of business culture that is conducive to both cybersecurity and privacy? 

​Privacy is one integral element of an enterprise’s cybercapacity. Establishing a culture of privacy requires the fundamental renewal of the whole organisation rather than just offering GDPR training to employees. It is the difference between adding a sugar-coated layer of compliance versus change enablement, which promotes real change from within.

Change enablement lays a foundation for the enterprise and its people to implement new approaches in digitalisation and understand their ramifications, effectively enhancing performance and delivering better business results across the entire value chain. Only then can a true culture of privacy evolve within an organisation. 

The real goal of GDPR is not to add a layer of compliance. As Elizabeth Denham put it, it's getting people in organisations to start thinking differently. But she doesn't come up with a plan of how this change in mindset will take place. The way to get people to change is by enabling organisations and their workforce within them to adapt their work behaviour and their innovation capabilities at every point in the value chain. Depending on the digital maturity of the organisation I offer two approaches below. 

Fostering a Culture of Privacy through Change Enablement

Change enablement requires setting up an organisation to support it from a much earlier point than in compliance. Depending on the digital maturity of the enterprise, change enablement has different functions:

Startups
A start-up working on a Minimum Viable Product (MVP), for example, is in a privileged position. It can build the necessary privacy measures from scratch (data protection by design and by default), and by that establish this mindset as early as the seed phase. Change enablement then serves to ensure continuity in data protection by design and default (e.g. when a new technology is deployed or a when there is large-scale processing of special categories of data). The startup establishes the necessary awareness to start building a culture of privacy, which will be strengthened further in the post-seed phase.

Established enterprises
Traditional businesses, on the other hand, that had only casually complied with the Data Protection Directive 95/46/EC, now need to pull up their socks to meet the necessary measures of the GDPR. The brutal truth is that the GDPR disrupts some of their value chains, organisational structures, operational processes, revenue models and the way people work and collaborate. They will have to make use of the full potential of change enablement – from needs analysis to continuous renewal to establish a privacy culture.
 
The rewards for using change enablement are tremendous: Not only will employees be able to realise the full potential of the new regulation, but all organisations, both startups and established enterprises, will have a golden opportunity to build trusted relationships with their customers and by doing so, further shape innovation, realising the full potential of the new gold of the digital age. Change enablement is what makes the GDPR a blessing in disguise. 

To see how this works, visit our next blog post for a real life example.

Image: Pixabay CC0 Creative Commons by StockSnap