GDPR a golden opportunity for local firms
The recent introduction of the General Data Protection Regulation (GDPR) should be viewed by local organisations as a valuable opportunity to grow the service economy of the country, rather than as a threat.
This is according to Dr Peter Tobin, director of Peter Tobin Consultancy and Protection of Personal Information (POPI)/GDPR expert, speaking to ITWeb on the sidelines of the Xperien POPI and GDPR Update, held in Johannesburg recently.
Implemented on 25 May this year, the GDPR is the European Union's data protection regulation aimed at "harmonising data privacy laws across Europe, to protect and empower all EU residents' data privacy, and to reshape the way organisations across the globe approach data privacy for EU residents".
Failure to meet the GDPR regulatory standards could cost organisations in legal fees or in fines for non-compliance.
Tobin pointed out that instead of viewing the regulation as a threat, local organisations should see the introduction of GDPR as an opportunity to grow the pool of ICT skills services in SA by upskilling graduates and providing numerous services in the area of compliance to global organisations.
"The GDPR can be seen as a golden opportunity for local organisations to provide special services in the area of compliance, by soaking up young graduates and introducing them to skills development initiatives in the area of compliance."
The GDPR stipulates that larger organisations of a certain size need to have a data protection officer (DPO), however, it doesn't stipulate that the DPO must be a full-time employee, he explained.
This requirement in turn creates an opportunity for small organisations, which may not be able to afford to hire a full-time DPO, to use the services of a service provider.
This is where local businesses can see the opportunity to grow the service economy in SA, by training young people in various compliance and IT security areas such as penetration testing, information security skills and becoming a DPO, Tobin continued.
"If you look at some large consulting houses, many of them hire hundreds of young graduates every year in different fields such as accounting, healthcare and others, so why can't we do the same for DPOs? And become a virtual DPO service provider, to both the local and international market?
"Many of our clients are running assessments of their company risk areas and we work with many clients who remotely conduct these assessments through the use of video conferencing tools which enable them to work as far away as UK, Mauritius and Germany, coming from a base in SA."
Discussing the lack of ICT skills in SA, Tobin pointed out that while the rise in new ICT trends is leading to a huge skills shortage, more investment should be made in skills development programmes.
"Government and the private sector are already investing a lot of money in major skills development programmes and it may be a question of re-orienting some of those skills programmes and identifying where the real job opportunities are.
"GDPR brings with it new types of skills required, and this means we can create these skills and outsource them to clients, irrespective of where in the world they may be based."
He made reference to various countries such as New Zealand and Iceland, which have been recognised by the EU as having a "trusted nation status" due to their commitment to their country's data protection legislation.
"There is no reason why SA cannot get in that list of trusted nations, as this will benefit SA by making it much easier for us to do business globally."
According to a research report by Gartner, data and analytics leaders can use GDPR compliance requirements to improve the value of their business data, in turn contributing to the organisations' competitive advantage.
"A panicked response to GDPR, which focuses almost exclusively on data protection and security requirements, distorts an organisation's data and analytics programme and strategy," says Lydia Clougherty Jones, research director at Gartner.
"Don't lose sight of the fact that implementing GDPR consent requirements is an opportunity for an organisation to acquire flexible rights to use and share data while maximising business value."
The report advises data and analytics leaders to involve themselves in the right way, and use GDPR to enable new use for data, as well as greater access to it, while increasing trust between their organisation and data subjects. All of these points can drive an increase in the organisations' competitive advantage.
Tobin points out that one of the challenges facing local organisations in implementing their GDPR initiatives is getting executive buy-in.
"Many local businesses will face the challenge of adopting the right mindset to ensure that their GDPR initiatives get support from the company executives. And not every organisation has been paying attention to the GDPR because they have been focusing on POPI. But GDPR is more immediate and local organisations are now waking up to that reality," he concluded.