Data protection: burden or social responsibility?
With the impending implementation of GDPR regulations, some interesting observations are emerging. One of them is the difference in effort perception organizations may have when it comes to data protection. As a certified DPO I have been in close consultation with both profit and non-profit organizations during the last few months. Generally speaking, commercial organizations seem to face a bigger challenge when it comes to preparing for compliance with GDPR regulations. In a way this makes sense although actually it shouldn’t.
Self-evident
Foundations primarily exist to protect and/or promote the interests of their members or other interest groups. Not ‘distracted’ by commercial goals, these organizations are explicitly aimed at the very well-being of the people they gather and process data for. Here, the protection of data is more or less an extension of what they are already doing. Mobilizing commitment among employees to enhance data protection is almost self-evident. People in businesses on the other hand are busy with achieving targets; they have less time to consider if they are complying with the GDPR. Business continuity and making profit is their task. That doesn’t mean that after starting the GDPR project in a profit organization, employees are not willing to understand the importance of GDPR and the need for procedures. It’s just that these procedures must be developed and introduced in another way. It’s a different playing field. Business must go on, targets must be achieved and profit must be made. And on top of that, they have to comply with GDPR. It’s not impossible but it takes strong management to provide the necessary time and resources within that organization.
Planet, people, profit and protection
In the majority of companies, complying with GDPR is perceived as a burden that will have a negative effect on their results. Although incorporating a solid data protection mechanism can be driven by fear of being penalized and being subsequently named and shamed, most organizations do take their responsibility and understand that complying with GDPR is necessary. Not only to prevent penalties but to prevent a data breach of personal data they are responsible for as well. Of course there’s the temptation to push the (legal) limits here and there to minimize negative effects on the business goals. As long as this is done in a transparent and fair manner, there is nothing wrong with that. It is a pleasure to be a consultant in both commercial and non-commercial organizations. Especially knowing that there is always a way to lead an organization into privacy accountability. The difference is the road to awareness by all employees and management. Data protection is in the best interest of all people.
If we look at it this way, drafting a set of protocols and educating employees on how to treat personal data with the utmost precaution and discretion isn’t a burden; it’s part of social responsibility.
Vincent Corbesir, Data Protection Officer