EU-GDPR - threat or chance?

December 04, 2017

The European General Data Protection Regulation takes effect on 25th of May

The new European General Data Protection Regulation (GDPR) will come into force in only 24 weeks. It will fundamentally change the way companies can deal with personal data. Organizations across all industries are currently preparing themselves to manage the severe impact of the regulation. To this end, Global Executive MBA alumna Mae Hansen and her colleagues at Match-Maker Ventures have dedicated an entire task force to globally identify how large organizations can comply with the GDPR by benefitting from partnerships with small and versatile tech start-ups. For this edition of our newsletter, they have come up with a brief guideline for all companies who are challenged by the GDPR.

Laptop keybord with a warning sign — The experts' guideline helps to manage the fundamental changes companies can deal with personal data. Photo © CC0 License

Be prepared, be positive and be creative

Be prepared that GDPR's impact expands beyond the EU – all companies processing personal data of data subjects "in the Union" will be affected and more countries are expected to follow the EU's efforts
Take a positive approach towards GDPR understanding the GDPR as an opportunity to maximize consumer trust and data value - not just as a threat to your organization
Be creative when it comes to consent generation – GDPR’s stricter rules are not the end of data monetization but require innovative solutions to make consent easy and smooth for customers

Focus on six key business capabilities

To prepare organizations for the upcoming regulation, the regulatory framework can be broken down into six key business capabilities.

Clearly define personal data governance
Companies need to develop a framework for the management of internal access and processing rights. Since most breaches come from within the company, it is crucial to properly manage employees’ access to sensitive data and restrict processing of such data to the necessary minimum. Another governance requirement is the appointment of a data protection officer (DPO), as key responsible for all data protection matters within a company.
Identify sensitive data
Organizations have to identify the GDPR-relevant data they process and implement systems to categorize and identify personal data within the organization. This is also key for the efficient execution of the data subject rights.
Use creative storage solutions to increase data protection
Organizations need to implement data storage solutions that enhance the protection of personal data. They should adhere to the principle “Privacy by Design” by installing the necessary technology and taking organizational measures to mitigate risks (unlawful destruction, accidental loss, alteration or unauthorized disclosure of data).
State-of-the-art data protection and breach notification system
Companies will need to develop security systems to protect personal data and to detect data breaches. GDPR also tightens the breach notification responsibilities, as the data protection authorities need to be notified about safety breaches within 72 hours.
Consent generation and consent management system
Companies need to implement a system for the generation, storage and management of GDPR-compliant consent. Consent generation should involve all online and offline communication channels, like the company website, email, messengers or even direct mailing and in-store approaches.
Data processing documentation and risk assessment
Organizations need to implement processes for the constant documentation of data processing activities and risk assessment of new processing activities.

Understanding GDPR as an opportunity

Lastly, organizations need to understand GDPR as an opportunity, not necessarily only as a threat. The GDPR gives organisations the chance to redefine the way they use and process personal data, at best by putting their customers in the middle of their re-engineering efforts.

In the matrix below you can see how the previously mentioned capabilities open up opportunities to increase trust and transparency, how they can increase the value of data, as well as how they can help optimizing marketing and customer targeting.

GDPR also presents an opportunity for companies to partner with small, versatile tech start-ups. New data protection obligations require advanced and innovative solutions. When partnering with start-ups, established companies can benefit from the execution speed and focus that distinguishes start-ups from other GDPR offerings in the market. The new requirements for consent generation, for example, make it difficult for companies to ask their customers for their consent to process their personal data via the channels they used to in the past. New and creative solutions are needed, which is exactly where start-ups come into play, as they can offer targeted solutions for this one aspect of GDPR that are innovative and can be rapidly deployed in any organization.

Barbara Stockinger is a first year student of the Strategy Management Control Master Program at WU. At Match-Maker Ventures she is active as a Startup Engagement Manager. She is also the head-organizer of next year’s Entrepreneurship Avenue at WU.

Christoph Prager works as start-up engagement manager at Match-Maker Ventures, where he leads the GDPR focus area. At OptInk, one of MMV’s portfolio companies, he drives business and product development.

Use the European General Data Protection Regulation as a chance: in the short program "Data Science" you can learn how to prepare your company for the upcoming regulation. Get more information here.