Data protection laws are evolving at an unprecedented pace, impacting organisations of all sizes and industries.

To thrive and succeed, businesses must not only comply with these regulations but also harness them as a strategic advantage.

When it comes to the penalties associated with non-compliance, organisations not only face hefty fines - they can sustain irreparable reputational damage too.

In our latest webinar, Metomic CEO Rich Vibert was joined by Sarah Jarman, VP Legal and Group DPO at Emplifi, and Kristy Gouldsmith, Data Protection, Privacy, and Cybersecurity Partner at Spencer West LLP to discuss how to navigate complex data protection laws. 

Here are our top 6 takeaways:

1. Data Minimisation is Key

One of the key principles discussed in the webinar was the importance of data minimisation. Companies should only retain data that is necessary and relevant for their business operations. Keeping unnecessary data can not only pose a security risk in case of a data breach but can also lead to challenges in handling subject access requests. It is essential for organisations to have a clear retention policy in place and regularly review and update data that is no longer needed.

Kristy Gouldsmith highlighted the importance of organisations asking themselves, ‘What [data] do we have? Where is it and who has access to it? The data that's held in WhatsApp and Slack will also form that company's data and part of a subject access request. It's knowing everything that's out there and sometimes companies don't go through this exercise until they're forced to. I think if they did those sorts of activities before they had a big subject access request or a horrible data breach, it wouldn't be quite as bad.’

2. Transparency is Essential

Transparency regarding the data that a company holds is crucial for effective data management. Companies should have a clear understanding of what data they hold, where it is stored, and why it is being retained. This not only helps in complying with regulations but also ensures that data is handled responsibly and securely.

Sarah Jarman said, ‘People want to know what we're doing with their data; they want transparency, they want accuracy, they want access.’

3. Privacy by Design 

The concept of privacy by design was highlighted as a key aspect of data management. This involves considering data protection and privacy from the initial stages of planning and throughout the data lifecycle. By proactively embedding privacy into processes and systems, organisations can ensure that data is handled in a compliant and secure manner.

Kristy Gouldsmith highlighted, ‘I work with a lot of companies and one of them is notorious for saying, ‘look, we've created this new shiny thing.’ Then they'll present it to me and say, ‘what do you think?’ And I think, ‘you should have told me at the beginning because now I've got to pick it apart and put the data protection in here and there.’ It's far cheaper and more efficient to embed your data protection bits at the beginning than create your shiny new thing and think, ‘where are we going to put that data protection bit now?’

4. Investment in Expertise and Automation

The discussion emphasised the importance of investing in expertise and automation tools for effective data management. While automation can streamline processes and enhance efficiency, human oversight is also essential to ensure that data is handled correctly. Organisations should consider a combination of automated tools and skilled personnel to effectively manage data and mitigate risks.

Sarah Jarman said, ‘The best practice would obviously be to have that human control aspect even if you do have the automated tool. I think in the future that will come down through the supply chain and that will mean that these businesses do need to probably have that combination of automation and human oversight, which means investment into your people.’

5. AI Requires Transparency 

The trio discussed the importance of transparency, explainability, and human oversight in the use of AI tools to ensure data protection and privacy. Companies should prioritise training employees, implementing internal controls, and reviewing data before inputting it into AI systems to mitigate risks effectively. By following these principles and practices, organisations can navigate the evolving landscape of AI technology while safeguarding data privacy and compliance with regulations.

Sarah Jarman said, ‘Getting the right people to review [AI tools] before they’re used - it's a lot easier said than done in practice because obviously these are really sexy tools that are helping people left right and centre. And it’s also understanding where those risk barriers are. It's not that you can't use the tool itself necessarily, it's that you need to watch what data goes in. So using it to prompt and then taking out the sensitive or personal data, but also the business confidential. Any sort of information that you aren't trusting the tool to deal with.’

‍5. Continuous Monitoring and Adaptation 

Data management is not a one-time exercise but a continuous process that requires ongoing monitoring and adaptation. Companies should regularly review their data management practices, update policies and procedures as needed, and stay informed about evolving regulations and best practices in data security. By maintaining a proactive approach to data management, organisations can better protect data and comply with relevant regulations.

In conclusion, the webinar highlighted the importance of prioritising data minimisation, transparency, privacy by design, expertise, and ongoing monitoring in data management practices. 

Metomic can help organisations minimise the data they store, reduce their attack surface, and comply with industry regulations. Take a virtual tour of our platform to learn more about how we can help your organisation. 

‍