Blog and News

The Commercial Context of Privacy Compliance

John Eustace - 20 January 2017

 

The Commercial Context of Privacy Compliance

The Commercial Context

Throughout our training courses, we assess how the processing of personal data by organisations, for their legitimate, commercial purposes, is the key focus of Data Protection legislation. This focus will become ever-more intense when the General Data Protection Regulation (GDPR) becomes law on May 25th 2018.

In the same way that a company's efficient, creative use of data can enhance their reputation and engender customer loyalty and market share, it is constantly evident how poor data management can damage a hard-won market position, tarnish an organisation’s brand and reputation, and cause irreparable impact on the credibility and performance of companies as well as their senior executives.

Throughout, one must assess three essential perspectives regarding the management and processing of personal data:

1. The Personal Perspective 
2. The Professional Perspective 
3. The Commercial Perspective

1. The Personal Perspective 

At an individual level, we get to ask, among other things: 

  • Who has my data?
  • How did they get it?
  • Why do they have it?
  • How long are they going to keep it?
  • With whom will they share it?
  • While they have it, will they keep it safe?
  • Can I see what information they have which relates to me? 

2. The Professional Perspective 

Managers and executive decision-makers within organisations must pose the following or similar questions throughout the data life cycle; i.e. the period during which personal data is held and processed by their organisation:

  • What is our specific purpose in acquiring this data?
  • What is the minimum range of personal data we require for that purpose?
  • Where will we source this data?
  • How clearly will we state our intended purpose?
  • How long will we keep the data?
  • In what way can my data management decisions bring the organisation into non-compliance?
  • What are the risks to which the data might be exposed?
  • What measures are we taking to protect the data against such risks?

The Commercial Context of Privacy Compliance

3. The Commercial Perspective 

The ultimate entity responsible for compliance under the Data Protection legislation is the data controller, the individual organisation responsible for the acquisition, retention, use and destruction of the data. As a whole, the staff, senior management and executive or the organisation must constantly ask:

  • In what ways might the organisation’s processing of this data enhance or damage our brand?
  • To what extent is our brand reputation tied up in our data management practices?
  • How dependent are we on our data quality in order to deliver excellent service?
  • How strong is our customer loyalty, and what are we doing to protect it?
  • How safe is our data – is it protected from unlawful access, unauthorised processing?
  • What formal processes and policies are in place to ensure Data Protection compliance?
  • How much time do we invest in raising staff awareness of their Data Protection obligations?
  • Where is our data at any time – to whom do we give it, how closely do we monitor their activities?
  • How soon would we know if we have had a Data Protection breach or incident?

During the coming months, as the run-in to the GDPR entering into law picks up speed, we will see increasingly complex challenges posed by the new legislation for controllers and processors alike who are looking to strike a balance between these three factors in any data processing activity. There are interesting times ahead!

Previous Post

Santa and the GDPR

Next Post

Donald Trump and Privacy Rights - latest update from the White House summarised

0 Comments