Data protection: Both a challenge and opportunity
Data protection: Both a challenge and opportunity
With the implementation of the European Union General Data Protection Regulation ("GDPR") in May 2018 and notably in Mauritius, the introduction of the Data Protection Act in 2017, Head of Compliance for our Mauritius office, Clendy Dabidin explores both the challenges and opportunities that businesses face as a result of the clampdown on data protection.
As strange as it may seem considering the notoriety of recent fines such as British Airways, Google and hotel chain Marriott, until mid-2018, the changes relating to data protection laws were a low priority for many organisations.
There was a general misconception that the impending changes to the legislation were targeting mostly technology-oriented organisations. In fact, such interpretation reflected rather a simplistic approach to the changes coming. It took some time for organisations to realise that with the implementation of the new data protection laws - internationally, the General Data Protection Regulation (GDPR) and locally in Mauritius, the Data Protection Act 2017 - the principles around data protection had changed, were here to stay and organisations needed to abide by all of them.
Abiding by the new data protection legislation is still a significant challenge. Not only are there several requirements to implement, but there is also a need to adopt certain practices in order to avoid any potential breaches.
Additional steps make the task of compliance more complex
One of the main challenges resulting from the changes is the scope of work involved to ensure compliance. The number of requirements that need to be complied with is significant. Though it is understood that the changes were designed to make those who process and manage personal data more accountable, the scope of work that this entails is highly process-driven.
Additional steps have been added to existing processes and these have further complicated what was already a complex procedure. Tech giant Google for example, an organisation often lauded for its innovative and market-leading tech, failed to provide enough information to users about its data consent policies, not giving them enough control over how their information is used. The end result? A €50million fine by the French data protection regulator, CNIL.
Twisting software and hardware to ensure compliance with these changes is easier than preparing the staff for a culture shift. To get people to understand and adapt to the new approach takes considerable time and effort.
Organisations must train their staff to ensure that they understand how the new data protection laws work and how they affect their daily tasks. Furthermore, every organisation handling significant amounts of sensitive data of EU or Mauritian citizens needs to have a Data Protection Officer who must report to senior management and be independent in his/her judgment. To find the right person for this position can be a challenge in itself. In addition, depending on the complexity of the processes and the size of the organisation, more personnel might be needed to ensure compliance. This can impact heavily on the cost of operations.
New data protection laws have expanded the rights of users considerably
Users now have the following rights because of the new data protection laws:
- Right to access personal data
- Right to rectification
- Right to erasure
- Right to restrict data processing
- Right to be notified
- Right to data portability
- Right to object
- Right to reject automated individual decision-making
Although the above users’ rights are not absolute by nature, organisations must be ready to respond to the requests of users in relation to their rights. As more and more users become aware of their rights, implementing the required infrastructure to respond to their requests is vital in keeping both users and the regulators satisfied. However, as data protection laws present their own challenges, they can also provide opportunities.
Organisations can be prompted to take a fresh look at their business model
To have a clearly defined set of rules for both organisations and users can also bring about a number of opportunities to organisations. It can prompt them to take a fresh look at their business model and bring fruitful changes to it. If properly handled, this can also be an opportunity for organisations to better prepare for unforeseeable situations.
Complying with the new data protection laws can also prove to be a valuable marketing asset. To be tagged as a ‘GDPR Compliant’ organisation adds another layer of comfort to potential and existing clients, reassuring them that data protection is a business priority.
Since the introduction of the new data protection laws, there is more emphasis on risk assessment. The significant monetary and reputational damage that non-compliance has the potential to bring about has led many businesses to run regular risk assessments, enabling them to develop a more thorough and responsible approach.
GDPR has, and will continue to change the way we do business, not only in Europe and Mauritius, but around the world. Given that it is here to stay, can you say today that you are ready to face its challenges and seize the opportunities it can provide?
Ocorian helps its clients to comply with data protection laws by conducting reviews of existing data protection frameworks, identifying risks and recommending the required changes, amongst other corporate and secretarial support services. Find out more about our Regulatory Reporting & Compliance services here.