The importance of good data protection

Data protection isn’t a box-ticking exercise but a continuous process that, when done right, can pay dividends for businesses, writes Quinton O’Reilly

Data protection isn’t just a box-ticking exercise. There are many good reasons why quality data protection and privacy compliance are worth following. PIcture: Getty

Ask a business owner to cast their mind back to the summer of 2018 and chances are many will remember the rush and panic of implementing GDPR requirements.

The EU regulatory requirements were designed for businesses to ensure good data protection practices were followed, but four years later, some may have taken their eye off the ball.

Data protection isn’t just a box-ticking exercise. There are many good reasons why quality data protection and privacy compliance are worth following.

Outside of regulations, a company that has earned its customers’ trust has greater flexibility to pursue new opportunities knowing that the protection of customers’ welfare and interests is an inherent competency in how it does business.

This customer centric competency must be built into and reinforced in the company culture, otherwise it’s easy to forget.

It’s an aspect of business that Three Ireland takes seriously in its services and the organisations it works with. Spearheading it for Three Ireland is Fergal Crehan, its data protection officer (DPO), who alongside Deirdre Ardagh, its senior privacy and public policy counsel, make up its data protection team.

Having been with the company when many were preparing for GDPR to come into effect, Crehan was able to work across the business to build a strong awareness of how the requirements of GDPR would apply to Three Ireland’s business operations.

He also showed the importance for Three Ireland of establishing, maintaining and evolving robust business processes and systems to meet these requirements long after it came into effect in May 2018.

“It means that it’s something that’s always there,” he explained. “Especially when you’ve been in a company for a few years, people know you and think to run things by the DPO, whereas if people only hire externally, it’s out of sight and out of mind.

“If you don’t have that in-house data protection team, it’s easy to forget the entire subject.”

Not many companies have the luxury of having such a team in-house. Yet, as part of its work with its suppliers and business partners, Three Ireland always ensures that organisations follow best practices and regulations before planning a project or initiative.

Good data protection is next to impossible to throw in after a project is well under way, and if you try to do that, you will get caught out.

“It can’t be an afterthought,” he explained. “It can’t be a case where you build a product and then begin to think about data protection. It has to be there from the outset and it’s not just a practical element, it’s what the regulator expects to see.”

That can spell trouble if you end up in the data protection regulator’s sights. It’s not just seeing whether you have followed protocol, but whether data protection is part of your company culture. No software or service on its own can provide compliance in data protection. It must be baked into the foundation and regularly checked.

Crehan mentions that a key principle of GDPR is accountability, meaning it’s not just about keeping data safe and secure but being able to explain and show that you put the work in to complying with all of the principles of data protection espoused in the GDPR.

At the time of writing, Crehan was getting ready to head over to Brussels for a conference run by the European Data Protection Supervisor (EDPS), the European Union’s independent data protection authority.

With January 2022 marking the ten-year anniversary of the emergence of the first draft of GDPR, the conference will reflect on what’s been achieved and what can be done to improve its functionality and effectiveness.

What happens from an EU perspective will be important as new judicial acts emerge, with regulations on aspects like AI and facial recognition coming down the line. Such rules can have a significant impact on how you proceed with services.

“The question is how that technology will be affected by what’s coming out of both the Irish government and the EU,” he said. “Someone might have an exciting AI project, but whether they’d be able to get the full benefit of that tech while staying compliant is often not an obvious question to answer. It takes some research.”

Putting in the groundwork

Even in the more straightforward practices, organisations must answer the big question of whether personal data is in play, or whether non-personal data can end up being linked to a person.

In the era of increased smartphone and connected device adoption, telecommunications operators process vast amounts of data. However, there are local and EU regulations that limit what can be done with customers’ personal data, meaning operators must review and understand all the data protection implications of providing a service from the beginning.

Crehan gives an example of a connected car solution you would use for fleet management, such as courier company or car hire.

This is useful if you want to know where your cars are at any given time and want to run diagnostics on elements like fuel efficiency, routes and so on. However, if all vehicles are assigned to named drivers, then you’re showing the driver’s personal data as you’re tracking their location among other things.

If it’s a case that it’s first come, first served and anyone can take a particular vehicle, then it may qualify as non-personal information. That said, each case is context-dependent and depends on how it relates to the entire ecosystem it operates in. In short, you need to show you’ve done the work.

“It’s not something you can fake,” said Crehan. “Some people think it’s about security and having a strong password or not having data breaches, but there are six principles of data protection, and security is only one of them.”

The other five principles are lawfulness, fairness and transparency, purpose limitations, data minimisation, accuracy and storage limitation. These principles aren’t ones you can bolt on or create by adding a product or service. They must be included from the start.

And that’s the key to good data protection: creating a culture that ensures such considerations are second nature. Granted, larger organisations will have the benefit of dedicated data protection teams. But even if you don’t, you can still embed a mindset where no project will begin without asking if the six data protection principles are considered.

Within Three Ireland, this step is an essential part of any project. Sometimes only basic advice is needed but other times a full Data Protection Impact Assessment (DPIA) is carried out.

To say that you have carried out the work and are assessed is a big boost to the average consumer who wants to make sure they can trust the work an organisation does.

Ensuring that it’s not an afterthought and taking a proactive approach to data protection is best for everyone in the long run. By framing it as a beneficial process, you can create a system that gets what the business wants while remaining compliant.

“If people do that, it becomes a much better experience for everyone because you can be comfortable about the outcome of the product,” he said. “You can field any question that the regulator or the customer might have because you’ve done that work.

“You can’t fake the work; it’s something you’ve just got to do.”