It was an extremely interesting morning at EY’s breakfast seminar, GDPR – First Anniversary.
Through a panel discussion, we explored insights and experience of the GDPR journey provided by representation from the Data Protection Office, Information Security, Risk, Marketing and Customer Value Management. Panelists included: Victoria Groom, Head of Marketing and CVM, SSE Airtricity; Lorcan McLoughlin, DPO, KBC Bank Ireland; David Shaw, Head of information security, Central Bank of Ireland, and Carol Murphy, Director Risk transformation, EY.
It is evident that there have been highs and lows in this journey, including challenges of dealing with technology dependencies, legacy systems and completing complex data protection impact assessments.
Following a whistle-stop tour of enforcement related activities, the conversation shifted over to considering the reason GDPR and other similar regulatory activity such as PSD2, NIS Directive, Ethical AI framework came into existence – in support of the EU’s digital single market strategy.
The EU’s “Citizen Centric” approach requires and demands regulatory guardrails to foster ‘trust’ and demonstrate “accountability” which is part of the foundation of the digital economy. Trust and accountability became our first central theme of the morning.
Of equal importance was the exploration of GDPR implications from the customer value and marketing perspective which, at times in the past may have been considered as conflicting to the protection of personal data.
The perceived conflict was quickly dispensed with by our panel. We were asked to consider the customer in a modern digital context that strives to create a single view of the customer that is accurate, has the capacity to deliver real value and choice to the customer and at the same provides ‘Transparency’ and ‘Rights Enablement’ – thus fostering ‘Trust’ and ‘Accountability’. Clearly, there have been challenges along the way with a retrofit required for certain activities to achieve compliance.
Information security plays a strong and significant role in the protection of personal data which is not a new requirement, but perhaps has acquired a new lense. Information security functions have long since had the responsibility for breach reporting and in some organisations managing the information security aspects of third parties to the organisation. These responsibilities have acquired a new cross-over with the privacy function and have the luxury of sharing their experience with their privacy counterparts.
Strong leadership buy-in, Board level engagement, senior stakeholder commitment were frequently cited as pivotal to the successful establishment and transition of privacy programmes to a business as usual state achieved through a combination of cultural change and budget availability.
In summation, it is clear that organisations are only at the start of their privacy journey and there is work yet to do. The discussions supported the following thematic predictions for the year ahead:
1. Consumer as a business stakeholder
2. Evolving business model
3. Future operating model
If you have any questions relating to any of these topics, don’t hesitate to reach out.