Data regulation compliance can be seen as an opportunity for organisations to improve the way in which they handle data, and bring their processes up to speed in a digital era.
- By Sandhya Ramdhany, Legal Director at Oracle South Africa
When many people think of data-driven businesses the temptation may be to think of major online retailers or social media companies. But the reality is, organisations of all sizes, across all sectors are getting closer to their data in order to improve and personalise the customer experience or the way they work, create new opportunities, or even to transform entire industries.
The UK’s NHS Business Services Authority (NHSBSA) recently uncovered insights in its data that have helped it improve patient care and uncover nearly £600 million in savings. The benefits are not restricted to organisations in developed markets; in India, a new crop of financial institutions have reimagined credit checks for the country’s unbanked population, assessing people for small business loans based on an analysis of their social media data.
But while the rise of data-driven business models has made life better for many people it has also raised concerns about how organisations collect, use and manage our information. The issue is not limited to how companies store and protect the data they hold, but also who has access to that sensitive data.
In South Africa, the Protection of Personal Information (PoPI) Act states that organisations must take appropriate measures to protect personal information against unlawful access or processing, as well as loss, damage, or unauthorised destruction.
Europe’s General Data Protection Regulation (GDPR) becomes enforceable from 25 May 2018, requiring data protection ‘by design and by default’, in addition to the right to access and the right to erasure amongst others. Companies will need to account for data security, the extended rights of individuals, documentation and security audits, and data breach notifications.
Non-compliance can result in significant penalties - up to R10 million, imprisonment of up to 10 years, or both in the case of the PoPI Act, and up to 4% of global revenue or €20 million, whichever is greater (GDPR) - as well as the accompanying reputational harm to those found short.
This does not just apply to businesses based in Europe; anyone using the personal information of European Union citizens or residents - whether a bank or a retailer with customer data, or even a third-party company, such as a technology company hosting that data - will have to comply.
Compliance must be a team effort. It is not something that can be achieved in, or by, one part of the organisation. Addressing compliance requires a coordinated strategy involving different organisational entities including legal, human resources, marketing, security, IT and others. It only takes one part of the business to be out of alignment for compliance efforts to fail. Ultimately, its importance is such that CEOs should be pushing their teams and appointed owners across the business to ensure compliance.
While this may bring additional effort and expense, it gives organisations an opportunity to improve the way in which they handle data, and bring their processes up speed in a digital era. As organisations increasingly turn to emerging technologies - the Internet of Things, Artificial Intelligence, and more - to drive new business value, they need to give consumers the confidence to share data and use more digital services.
Telefónica, one of Spain’s largest telecoms operators, provides advertisers and content providers with anonymous audience insights so they can better tailor their content to individual users. In the interest of transparency, the company publishes the customer data it sends to third parties and gives people the option to opt out of sharing their personal details.
Not only did this help provide customers with a better user experience, but it helped the company to capture 30% of Spain’s lucrative digital media and advertising market, compared to the 2% telecoms operators contribute, on average, to the advertising value chain.
This perfectly illustrates why businesses should not just wait for regulations to arrive, and do the minimum required in the name of compliance. With major changes come major opportunities, but only for organisations that are proactive and look beyond the short-term regulatory burden.
By acting now, companies will guarantee their approach to data is compliant and gain the confidence to continue delighting customers with better, more personalised services.