De-mystifying GDPR for Swiss corporations and other entities
Real challenges of GDPR – Expert interview with David Kemp
By continuing profession a lawyer, David Kemp is an EMEA Specialist Business Consultant for Hewlett Packard Enterprise Software Division – creating business outcome solutions in the areas of Information Management and Governance. His delivery is assisted by his unique variety of experience, namely 5 years as external counsel, 10 years in the insurance industry with the Aon Group and Bank of America, 19 years at ABN AMRO Bank / RBS – as Corporate Banker and Legal / Compliance Manager, and 6 years with HPE.
David Kemp, you are the EMEA Specialist Business Consultant for Hewlett Packard Enterprise Software Division, specialized in the areas of Information Management and Governance. As a lawyer and expert for the General Data Protection Regulation (GDPR) subject, you advise companies on how to comply with this EU regulation and actually benefit from it. The EU regulation applies in Switzerland and other non-EU countries. What is the relevance of this regulation to the Swiss Market and why should Swiss companies care?
The key importance of GDPR is that it applies rules in relation to anyone dealing with the Personal Data of any EU Citizen. As the EU is the largest and nearest trading bloc for Switzerland, hence involving major volumes of business with EU nationals, it is essential that Switzerland adopts a parallel regime of respect for data privacy and protection. If one takes the example of investment banking standards, Switzerland has similarly initiated law which mirrors that of the European Union to ensure a level playing field with EU countries.
How can a business logic for GDPR effectiveness be created, what are your recommendations?
GDPR is not simply a compliance issue. The real impact is firstly one of records management and secondly of security. There are 3 major drivers which are evidenced in Europe as a whole for GDPR compliance, namely:
a. Defensive compliance to avoid the 4% of annual revenues or EUR 20 million, whichever the higher as a fine. But more importantly, the reputational damage of ineffective data security e.g. the Sony 2012 hacking incident which resulted apparently in a 30% fall in their share price. Or the security breach at UK’s Talk Talk in 2015 which resulted in a fine of GBP400,000, but more importantly in a remediation cost in excess of GBP 42 million. Furthermore, with some EU countries now having GDPR compliance as a pre-requisite for Government Contract bidding, non-compliance can be critical to businesses which depend on governmental clients.
b. Operational efficiency. In order to identify Personal Data and the to take action to protect / move / edit / anonymize it, it is essential for Chief Information Officers initially even to be able to find it. For most large corporations, they are faced with an immense task of having to isolate personal data in say 25 years of “dark data”. However, a secret to GDPR effectiveness will be the actual reduction of the mass data and elimination of the “redundant, obsolete and trivial”. So the surprising effect is that CIOs are using GDPR as a catalyst for wholesale Information Life Cycle Management. By reducing their mass data, they can even be generating Return on Investment as they may need less storage, less power for their servers, less back-up and recovery facilities.
c. Revenue! Surprisingly, a variety of different industries are identifying even money-making opportunities from GDPR. For example:
i) Being able to stamp “GDPE effective” on their web site enables media companies to improve customer loyalty and attract new clients.
ii) Being required by GDPR to provide masking of personal data actually legitimizes the mining of data for new products and services.
iii) By acquiring technology to achieve GDPR effectiveness, “Hub” entities such as airports and major transportation centres can actually provide a managed service to the multitude of entities who operate in their environment e.g. an airport serving all the airlines that fly in as well as all the shops and facilities that inhabit the airport. And an additional benefit! Not only is the airport creating a new revenue source through hosting GDPR effectiveness, but it naturally can reduce the cost of the technology it acquired to achieve it!