For years, there was a significant problem with security and privacy conventions.
The status quo was simple: a company would tell the auditors what they do and the auditors would check whether you do it. Yes, there were common practices, but the degree of variation was enough to make comparison and consistency difficult. And this problem only grew as you tried to dig into the details.
This was becoming more and more important as the smartest services began using APIs to stitch different tools together to build the ultimate customer experience. How do you fully assure your customer’s privacy as their data ricochets between different interpretations of what it means?
Three years ago, that finally changed.
Although standards like SOC2 and ISO27001 had existed previously, it was really only with the introduction of GDPR that we had a common language for the best practices protecting data.
This shared understanding of what protection means has finally made comparison possible. It has enabled a whole conversation about privacy and security, in direct practical terms, that was always a struggle before. This has been improved further by the introduction of the ISO27018 standard for protecting personal data, the closest you can get to a GDPR accreditation.
There have been many complaints about GDPR but this is already one of the strongest demonstrations of its legacy.
Again, this is not just a benefit in abstract theoretical terms. It directly allows product designers to have trust that every API and embedded tech in the service they are using can be judged to the same standard for handling customers’ data.
This is a route to unlocking more innovation, more optimisation and more opportunities to differentiate services for stakeholders.
What happens next: we must not damage shared confidence
The most challenging aspect of GDPR for UK companies is the country’s departure from the EU, and the manner of that departure.
UK GDPR legislation, as distinct from GDPR, is still considered ‘adequate’ by the EU so nothing needs to change for the moment. And in my experience, the UK regulator (ICO - Information Commissioner’s Office) has been pretty pragmatic in supporting smaller companies to navigate the changes GDPR has required.
However, the real danger is the perception issue.
About a quarter of Cronofy’s customers are resident in the EU and their perception of how the UK government behaved during the exit negotiations has given them little confidence that this ‘adequacy’ will remain.
For many in the EU, UK companies are being considered in the same category as US companies from a data protection perspective, i.e. not positively.
This forces businesses like us to look at our corporate structure and internal data governance arrangements – establishing EU entities, BCRs (Binding Corporate Rules) and EU resident support personnel.
We’re fortunate in that we have the means, experience and expertise to do this properly. But, it is a significant constraint on UK companies and restricts the opportunity to provide innovative solutions to a huge market of EU customers.
However, this is a political problem rather than a regulation problem. Protecting personal data is something responsible vendors should absolutely embrace if they want to remain viable.
What can you do?
My recommendation to any company affected by this is to lean in and make data protection a key part of your operating DNA. Data privacy legislation is not going away, if anything regimes like the US are looking at the EU model as a guide for how they should be improving their own regulation.
Security accreditations should be seen as augmenting the way your entire team and operations function rather than a once a year box ticking exercise that is someone else’s problem.
Appoint someone responsible for compliance who can work collaboratively with engineering, support and marketing teams to help them work in a safe and secure way. In our experience, leaning heavily on automation has been very positively received by auditors.
Automation done properly allows you to generate the appropriate audit logs and thus confidence that a process is repeatable and compliant. Simple things like automatically deleting Slack messages in accordance with a data retention policy are actually super low overhead and make active data management a business-as-usual concern.
It’s not without effort and overhead but the days of playing fast and loose with personal data are long gone, for excellent reasons. The more responsible we are, the more licence we get to solve the kinds of problems that inspire us.