Analysis. When preparing for the GDPR, it is crucial for companies to understand that there is a fundamental difference between data protection/data privacy and data security/information security.
Especially IT pros seems to believe encryption, firewalls, ISO-standards and the likes are data protection tools. On the other hands, legal privacy pros seem to believe data protection is only about legal processing of data.
However, privacy is above all about respect for the individual. It’s about a fundamental human right to protect the individual. For once, it’s not about business risks but about risks to the individual. It’s about trust between company’s and their customers (incl. B2B) and their consumers. More on this, see the white paper from World Economic Forum.
It’s about documenting how you as a company are going to meet that trust; how you are going to fulfill your part of a relationship built on trust. And when you have documented this, you off course also need to make sure you have the relevant protective mechanism to protect that trust. Besides security controls, this also requires control on who can access what piece of data, and when, but also that the specific piece of data may only be used for specific purposes.
One of the biggest compliance challenges for decades
In the light of the upcoming new data protection regime, preparation is crucial. The introduction of the most comprehensive data protection legislation in the world, the EU General Data Protection Legislation and the sky-high legal liabilities, will impose companies to act. This combined with the increasing awareness from consumer’s regarding protection of their personal data will challenge companies. Every one of them. However, companies who have prepared themselves for what is called one of the biggest compliance challenges for many decades, will not be caught off guard. When questioned about the business case in spending resources and money on what may seems as eating a giant elephant, companies who have prepared themselves will find themselves with a new competitive advantage – when their competitors scramble. New business will emerge to assist companies meeting the legal requirements.
More than compliance
But trust is also about ambitions. A company may decide that compliance with the legislation is a sufficient level when including various parameters; sector risks and codes, data categories processed, nature of data subjects etc. But a company may also – when considering the same parameters – decide on an increased level of compliance. An increased level of ambitions. And this decision will be the initial steps towards true data protection and not (only) data security. You can also call it data ethics.