We were privileged to host an event today in London on clearly a very hot topic: the GDPR. Every seat was full and the level of engagement with the audience was high, indicating just how much the GDPR is on everyone’s mind.
You can find the event slides here.
Vanessa Barnett of Keystone Law opened the event with a comprehensive overview of what the legislation actually contains. An impressive feat in 30 minutes and her deck contains a lot of useful extracts and interpretation from the legislation. She also referred to a number of useful ICO documents, including one on what to do straight away.
Vanessa’s overall message was not to panic but that businesses, all businesses, need to get started as soon as possible. There are no exemptions. On a positive note, Vanessa made the point that data privacy compliance was now shifting to be risk-based rather than a tick-box exercise. Businesses need to assess what risk their business faces from holding this data and properly account for that risk. Once done, the burden of compliance should become less not more. Equally, being really good at this is an opportunity for competitive compliance.
I also had the pleasure of catching up with Vanessa for a quick podcast where we ran through some of the questions from the audience.
Martin Sweeney, CEO here at Ravelin, followed with more practical information on how businesses need to tackle the issue of consent. The core advice from the ICO can be found here. In brief summary though, how we approach gaining consent is going to become much more freely given, specific, informed and unambiguous. Many of us are familiar with the detailed privacy permissions we see on our Facebook privacy page. Pages like this will need to become much more commonplace as businesses seek to prove they have the consent to use the data in ways that have explained to their customers.
Martin echoed Vanessa’s point that companies that invest in truly understanding the requirements here and excelling at their implementation will not only protect their business but also open up the opportunity of using compliance for advantage.
Finally Mike Haley, Deputy Chief Executive of Cifas talked about the practical implication of GDPR in his organisation where he has led the taskforce on this for a year. CiFas is especially sensitive to GDPR as the entire operation is based on the sharing of data amongst organisations. They have been tremendously successful in testing whether the various ways they consume and treat data are going to be compliant. Additionally they have succeeded in establishing fraud detection as a legitimate exemption to consent for the very obvious reason that users engaged in crime, waive many of their rights. CiFas are a very good example therefore of an organisation that is using GDPR to its advantage.