January 29th 2020 – By Adrian Barrett

My data prophecy? More regulation is on the way

Originally published in City A.M.

In 2018, a new elephant entered the room. A giant EU elephant called the General Data Protection Regulation (GDPR). GDPR and data privacy became, slightly bizarrely, a subject that was talked about in offices and in pubs. Even my proverbial aunty knew what it was. 

In corporate land, there was a frenzy of preparation ahead of D-Day (or should that be G-Day?) on 25 May 2018 — the deadline for implementing the new rules. In fact, it had a whiff of Y2K paranoia about it. 

This was a new type of far-reaching regulation that demanded a huge change of culture and control, with terrifying fines promised for those caught napping. 

An elegant idea

The root of GDPR is utterly sound and elegantly simple. All that personal data that your business is processing? It’s not yours anymore, it’s theirs, that of the individual users. Treat that data as you would want your own data to be treated. Know what data you’re holding, why you’re holding it, and bin it when you don’t need it anymore. Delete it if requested. And tell people if you’ve lost it (but please don’t lose it).

But almost two years on from D-Day, what will happen next? As West Berkshire’s resident Nostradamus, I hereby prophesise that the trend for more data regulation will continue. 

If it doesn’t, find me on LinkedIn in 2025 and I’ll buy you a pint as compensation for all that technology you’re going to need in this new “Generation Privacy”. 

Here’s why I’m so confident about this prophecy. 

Track any great innovation wave — railways, aviation, telephony, to name but a few. All started with great hope and rapid innovation. The consequences for society were profound. But inevitably, with the fearlessness that the pioneers brought, came an appetite for risk that exposed users to harm — whether physical or financial. 

Therefore, as sure as night follows day, more regulation will come. Perhaps we will look back at the wave of innovations surrounding the data age as the most profound of all. What is clear is that we are still at the beginning of this journey, and GDPR is the first regulation to get companies to take the subject seriously.

So, what can we learn from those businesses which are doing it the right way?

First, make data governance easy. Have a simple, memorable set of data protection and governance principles that become ingrained into your workplace culture.

Next, treating data protection as a box-ticking exercise won’t cut it. If you are, ask your staff about it — they simply won’t know if they are securing, storing, and sending data properly. You need to help your employees do the right thing, and products that help businesses follow the rules will save you a huge amount of uncertainty. 

The next phase

As Elizabeth Denham, the UK information commissioner, said in early 2019: “For me, the crucial, crucial change the law brought was around accountability. The next phase of GDPR requires a refocus on comprehensive data protection — embedding sound data governance in all of your business processes.”

Really though, this process doesn’t need to be all worthy regulation and tiresome policies. Done properly, data protection and governance have a happy side effect. Several companies that we work with are seeing enormous benefits in having a comprehensive, searchable index of all the information they hold. 

Think about it this way: if data is the new oil, being able to mine it will seem like a sure-fire way to get your board signed up to taking its protection more seriously.