Last Friday, the new General Data Protection Regulation (GDPR) came into force definitively. This European law, passed in 2016, aims to give citizens greater control over the data that administrations and companies have about them. Beyond the avalanche of emails that many users have received over the past week, the legislation will pose several new challenges that companies have never faced before. ESADE's Conflict Management Research Group, in collaboration with ARAG, organized an event at ESADEFORUM to discuss the risks that this new regulation poses for companies and the best way to deal with them. As noted by ESADE Assistant Professor Antonio Delgado, who moderated the event, companies have had two years to adapt to this new regulation but many did not do their homework until the last moment. Although the previous law already envisaged most of the rights included in the new regulation - either explicitly or by interpretation, as in the case of the right to be forgotten - the new legislation introduces some new features that companies cannot ignore: 1. Data portability 2. Data protection officer 3. Organizational challenge 4. Mindset change 1. Data portability This issue is completely new in this regulation, so it is an important change for companies. Data portability is the user's right to request the data that a company has about him or her or to have that information transferred to another company. This affects data provided by the customer, such as an email address, but also observed data, such as the customer's purchase history on a particular website. Companies are obliged to supply these data in a usable format. "Portability is part of the right to access, but it is a challenge at the level of format and management," says Robert Madge, CEO of the Swiss company Xifrat Daten AG, adding that "it will be very difficult to do this if it is not done in an automated way." 2. Data protection officer The new regulation includes the figure of the data protection officer (DPO) and makes it mandatory for certain institutions, including public administrations, companies whose activity requires "continuous and systematic observation" of these data, and organizations that carry out large-scale processing of sensitive data (such as health, biometric or genetic data). The DPO, who is responsible for advising and supervising the various departments that manage personal data, also acts as the company's liaison with the Spanish Agency for Data Protection and with interested parties. "Even if a company is not obliged to have a data protection officer, that doesn't mean that it is not advisable to have one. It is convenient to have a figure who carries out these functions, even in the form of a specialized consultant," says María Belén Pose, Director of the Corporate Legal Consultancy Division at ARAG. 3. Organizational challenge As the Data Protection Officer at CaixaBank, Pablo Díaz analyzes the impact of the GDPR on an large organization. "We went from a classical way of evaluating data protection aspects - which focused on legal analysis - to a methodology based on global risk analysis," says Díaz. Díaz explains that CaixaBank has addressed this organizational challenge in its parent company as well as in the various companies that make up the group. The GDPR presents "a fantastic opportunity to gain customers' trust," he says. 4. Mindset change However, as Madge points out, the new law implies a "change of mindset for companies", which will no longer be the owners of their clients' personal data. Instead, he explains, companies should treat such information as "borrowed data." This willingness to give citizens control over their data is also reflected in the size of the penalties envisaged by the GDPR. "The highest fines in the regulation have to do with everything that is directly related to the user," says Madge. "Security issues have lower fines." In short, the success or failure of personal data management will depend on two factors, according to Pose: first, customers' degree of trust and what they authorize companies to do with their data, and second, the efficiency with which companies are able to use data.

ESADE

<< Back to home

General Data Protection Regulation: 4 challenges for companies

06/2018

Last Friday, the new General Data Protection Regulation (GDPR) came into force definitively. This European law, passed in 2016, aims to give citizens greater control over the data that administrations and companies have about them. Beyond the avalanche of emails that many users have received over the past week, the legislation will pose several new challenges that companies have never faced before.


ESADE's Conflict Management Research Group, in collaboration with ARAG, organized an event at ESADEFORUM to discuss the risks that this new regulation poses for companies and the best way to deal with them.


As noted by ESADE Assistant Professor Antonio Delgado, who moderated the event, companies have had two years to adapt to this new regulation but many did not do their homework until the last moment. Although the previous law already envisaged most of the rights included in the new regulation - either explicitly or by interpretation, as in the case of the right to be forgotten - the new legislation introduces some new features that companies cannot ignore:


1. Data portability

2. Data protection officer


3. Organizational challenge

4. Mindset change


1. Data portability


This issue is completely new in this regulation, so it is an important change for companies. Data portability is the user's right to request the data that a company has about him or her or to have that information transferred to another company.


This affects data provided by the customer, such as an email address, but also observed data, such as the customer's purchase history on a particular website. Companies are obliged to supply these data in a usable format. "Portability is part of the right to access, but it is a challenge at the level of format and management," says Robert Madge, CEO of the Swiss company Xifrat Daten AG, adding that "it will be very difficult to do this if it is not done in an automated way."


2. Data protection officer


The new regulation includes the figure of the data protection officer (DPO) and makes it mandatory for certain institutions, including public administrations, companies whose activity requires "continuous and systematic observation" of these data, and organizations that carry out large-scale processing of sensitive data (such as health, biometric or genetic data).


The DPO, who is responsible for advising and supervising the various departments that manage personal data, also acts as the company's liaison with the Spanish Agency for Data Protection and with interested parties. "Even if a company is not obliged to have a data protection officer, that doesn't mean that it is not advisable to have one. It is convenient to have a figure who carries out these functions, even in the form of a specialized consultant," says María Belén Pose, Director of the Corporate Legal Consultancy Division at ARAG.


3. Organizational challenge


As the Data Protection Officer at CaixaBank, Pablo Díaz analyzes the impact of the GDPR on an large organization. "We went from a classical way of evaluating data protection aspects - which focused on legal analysis - to a methodology based on global risk analysis," says Díaz.


Díaz explains that CaixaBank has addressed this organizational challenge in its parent company as well as in the various companies that make up the group. The GDPR presents "a fantastic opportunity to gain customers' trust," he says.


4. Mindset change


However, as Madge points out, the new law implies a "change of mindset for companies", which will no longer be the owners of their clients' personal data. Instead, he explains, companies should treat such information as "borrowed data."


This willingness to give citizens control over their data is also reflected in the size of the penalties envisaged by the GDPR. "The highest fines in the regulation have to do with everything that is directly related to the user," says Madge. "Security issues have lower fines."


In short, the success or failure of personal data management will depend on two factors, according to Pose: first, customers' degree of trust and what they authorize companies to do with their data, and second, the efficiency with which companies are able to use data.

More Knowledge
Las 8M's del 'artificial intelligence marketing'
Sanchez Monasterio, Manu; Casaburi, Ivana
Harvard Deusto Business Review
Nº 277, 04/2018, p. 62 - 72
Attaining legitimacy in temporary business: The case of new entrepreneurs in the television industry
Smith , Celina; Martí Lanuza, Ignasi
Journal of Small Business Management
Vol. 55, nº 3, 06/2017, p. 484 - 499
<< Back to home