Read Time: 2 Minutes
How would you train for a marathon?
Running is now hot. Some of us are running seriously enough to aim for a full marathon. The whole (in)famous 42 km and 195 meters. If you were to run as well, when would you start practicing? A year before the race? Half a year? Three months? Only when a detailed route is made public and you know the location of each and every refreshment station?
When you look how companies prepare for increased legal emphasis on user privacy in the form of forthcoming Data Protection Regulation, the popular mindset seems to be something akin to the last option. Privacy lawyers are enthusiastic, but everyone else seems to be happy in keeping their head in the bush. No matter in how bad a shape your company is privacy-wise. And no matter that you cannot ignore that particular piece of legislation.
Yet, there is one difference between a marathon run and regulation of same magnitude. For you, running a marathon is voluntary. For your business, the marathon of the new regulation will be mandatory three years from now.
Like the capability to run a marathon is built by incremental 10 km runs, so should your future privacy compliance be built on first meeting the requirements of the current law.
The new regulation is already taking form, even if it still in drafting. What is already clear in comparison to the current directive, the changes are more on the lines of “in addition to” than “instead of”. I can guarantee, that 90 % of the steps you will take to be compliant with your current native legislation, will not go in vain. I can also guarantee, that if you plan to run a marathon next year, it will be much easier if start doing 10 km runs this year. That way you can avoid a panic two months prior the race day.
What should you do? For starters, simply check your local data protection officer’s site, whether you are respecting your customers’ privacy when running your business.
I’m raising this issue for two reasons. One; many companies continue to be happily ignorant on that their customer data is not merely an asset, but also comes with a set of responsibilities. Two; because awareness of user’s privacy rights is a prerequisite for respecting people’s privacy. Nowadays, customers have concerns and expectations also on your customer records and want to know that you treat their personal data with respect.
In subsequent posts, we will be sharing some very insights / practical advice on this field.
Post by Hannes Saarinen – F-Secure Privacy Officer