– – a Fundamental Shift In The Way Organizations View Privacy and Data Innovationa Fundamental Shift In The Way Organizations View Privacy and Data Innovation

Christian Wiese Svanberg, Chief Privacy Officer, Danish National PoliceChristian Wiese Svanberg, Chief Privacy Officer, Danish National Police

The Implications of the GDPR

23 FEBRUARY 2017

Outline

2

• The genesis of the GDPR

• The C-suite and Data Privacy

• Story telling as risk management

The past is prologue…

3

“My proposals will help build trust in online services because people will be better informed about their rights and in more control of their information.

The reform will accomplish this while making life easier and less costly for businesses.

A strong, clear and uniform legal framework at EU level will help to unleash the potential of the Digital Single Market and foster economic growth, innovation and job creation.”

Political - and actual - reality is complex, however…

4

…and has left us with a potential weapon of mass bureaucracy.

GDPR implementation in phases

5

First phase: Today and towards May 2018

The Klondike days:

The Klondike Gold Rush was a migration by an estimated 100,000 prospectors to the Klondike region of the Yukon in north-western Canada between 1896 and 1899. Gold was discovered there by local miners on August 16, 1896 and, when news reached Seattle and San Francisco the following year, it triggered a stampede of would-be prospectors. Some became wealthy, but the majority went in vain. It has been immortalized in photographs, books, films, and artifacts. (Wikipedia 18 February 2017)

GDPR implementation in phases

6

First phase: Today and towards May 2018

The GDPR is not just a compliance task.

And mere compliance is unlikely to be a selling point. I am somewhat skeptic in regard to the “Data Ethics” movement.

Any organization regardless of size and industry must use a risk-based approach to the GDPR.

Ask the questions:

“Realizing 100% compliance is impossible what should be our level of compliance?”“Where are we truly most exposed?”

GDPR implementation in phases

7

Second phase: May 2018 – May 2019

The ”I hope it’s not me”-phase

The 4% fines of the GDPR has been oversold. Several factors will limit the extent of such fines being imposed:

They were originally intended for a limited number of businesses that trade in or share personal data aggressively.

Legal guarantees limiting the use of fines were inserted during negotiations.

Resources of the Data Protection Authorities.

GDPR implementation in phases

8

Third phase: May 2019 onwards

”Consolidation”

Much like it was the case when the EU passed new competition rules; a reasonable level of enforcement will be found.

The best positioned companies will be those that have attained alignment between what they do and what they say.

The biggest “risk” going forward will not be the authorities, but customers, as the GDPR gives powerful tools that individuals, NGO’s etc. can wield.

Why trust truly matters under GDPR

9

Of all the provisions of the GDPR the ones to “fear” may be Article 21 (2) and (3):

“2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.”

The C-suite and Data Privacy

10

Executive level engagement is – of course – crucial and it must be broadly scoped. Do not advocate a dedicated “cyber”-board member or executive. All parts of management must have some stake. “It’s a full team sport.”

“The further you are from the individual customer, user, or citizen the higher your risk.”

“Do what you say” – Cannot be overemphasized. The most likely candidates for the dreaded administrative fines – when they do come – will be those companies that betrayed the trust of customers. Make sure management understands.

“Story telling as risk management”

11

Regardless of what sector you are in, you must have a narrative for your use of personal data. It is easier for some companies or authorities to find, but a narrative is always there.

Better to say “we use the data you provide to make our business run smoothly” than “we comply with all applicable laws”.

If you use data for targeted advertisement then say so, in the right way. Customers will find out anyway.

If you share data be transparent about it. The fall-out from a data breach will increase manifestly if it includes having to tell customers you were doing stuff you never clearly told them about.

12

Find your narrative. Compliance has to hurt a little, otherwise you are not doing it right. Help all parts of the organization understand and accept this.

If you want your customers to trust you, you need to trust them with the truth about what you are doing with their data.

Just like water, the CDO must always try to find a way to make new ideas work, but…use common sense: Be ready to support Legal & Compliance in sometimes saying no.

Key take-aways