The ownership and sharing of personal information is making the headlines on a near daily basis. As the 25 May deadline for the General Data Protection Regulation (GDPR) looms, businesses in Ireland North and South are busy assessing their obligations.
“Don’t see GDPR as a one-off event or simply a hurdle to clear – it is best regarded as a compliance journey with GDPR part of the route, not a destination.” says Shaun Murphy, Managing Partner of KPMG, who believes that it is essential to “have a clear strategy that deals with both the opportunity and risk that data provides.”
Murphy leads an organisation of almost 3,000 people across the island working with clients in all sectors of the economy. “Each of these entities, regardless of size, has an opportunity to unlock real value in their data” but to do so requires seeing the full picture. Ten years ago, energy giants dominated the list of world’s most valuable companies. Now, it is led by tech companies with access to vast amounts of information and data has been described as the ‘new oil.’ Murphy points to the US, where the title ‘Data Scientist’ is one of the fast-growing job titles categorised on LinkedIn. According to Shaun Murphy “Data is an asset and a liability.” Treat it as such he believes and the possibilities are significant. “Viewing data as an asset opens the door to opportunities to create value. From deeper insights into consumer and customer behaviour and purchase patterns to fraud detection – data can deliver powerful, actionable insights for business.”
However, the way that personal information is collected, stored, used, disclosed, shared and disposed of is a leadership issue that is also potentially problematic. Businesses could face fines of up to €20m or 4pc of annual global turnover for GDPR non-compliance - whichever is the largest figure. Ireland’s Data Protection Commissioner Helen Dixon has said that such sanctions are necessary "to grab the attention of industry". It’s in this context that Shaun Murphy articulates some basic principles all organisations should consider - not just prior to May 25, but for the foreseeable future. The first is that of privacy.
“Customers and consumers want to trust those they do business with. One of the easiest ways of damaging or destroying this trust is to abuse personal information.” Murphy believes that “People are entitled to know what is being done with their personal information — and they expect you to be able to tell them. This means understanding and leading on issues including your organisation’s privacy obligations, risks, and if your compliance strategy is fit for purpose. Murphy says that it comes down to some very basic questions for business leaders including “Do I have a clear view of what personal information is being processed where, by who and for what purpose? And importantly, how was such data acquired”?
And what of Brexit? “Any company with cross-border or cross -channel operations dealing with data from EU data subjects needs to comply with the GDPR” says Murphy. The nature of business means that many organisations are likely to handle such data in some form — even if this means just one customer or employee.” The GDPR impacts collection, use, transfer and disclosure of data, on a global scale, for organisations outside of the EU, which is likely to have considerable impact post Brexit.”
With many Irish based businesses involved in subsidiaries, outsourced providers and activity such as M&A, Murphy says “The onus is on the CEO and the board to ensure that every part of the value chain applies the same high standards of privacy.” And it’s not just about customers says Murphy “Employees in the EU also fall under the GDPR so financial, health and other sensitive, personal information needs to be handled in a way that meets the new standards.”
“The issue of trust extends to keeping data safe” says Murphy. The use of data is also strongly related to its security, data breaches and cyber-attacks. “The best approach is to consider when not if such events will take place. The board needs to take responsibility for understanding the risk, impact and crisis management response to a data breach or cyber-attack.” Nor is it just an internal challenge. Murphy cites monitoring both internal and third-party supplier compliance in respect of privacy and security as additional issues to consider.
Murphy concludes “May 25 will come and go yet the obligations and opportunities will remain. Leadership on data should be part of a proactive risk management approach that is customer centric with transparency, security and accountability second nature to everyone in the organisation.”
This article originally appeared in The Irish Times on 19th April and is reproduced here with their kind permission.