One year on, businesses are having to take seriously the new rules introduced under the European Union’s General Data Protection Regulation (GDPR), which requires them to be much more open about the use, collection and storage of personal data
GDPR came into force on May 25, 2018 and organisations in breach can be fined up to 4 per cent of annual global turnover or €20 million, whichever is greater. Whatever happens post-Brexit, any company which does business with customers within the EU will have to abide by these rules.
EU countries are now actively pursuing GDPR violators. France fined Google €50 million in January 2019 for its user consent and data policies, and the UK’s regulator, the Information Commissioner’s Office (ICO), fined Facebook £500,000 for serious data protection law breaches, Uber £385,000 for failing to protect customers’ personal information during a cyberattack and Vote Leave £40,000 for sending out thousands of unsolicited text messages in connection with the 2016 Brexit vote.
Chris Bush, head of security at ObserveIT, an insider threat management specialist, says while many organisations put basic cybersecurity measures in place in the rush to be GDPR compliant, such as password control, malware defence and back-ups for data, they may find themselves poorly prepared for an insider-led breach.
“Insider threats happen when someone with legitimate access to data and systems misuses that access and breaches security, either intentionally or accidentally,” he says. “Failing to account for this risk means many organisations could find themselves falling foul of this sixth principle.”
Customer trust increasingly rests on good data protectionDavid Smith, head of GDPR technology at SAS UK and Ireland
Lack of understanding?
A study by company insurer Hiscox, published earlier this year, found that nine in ten small and medium-sized enterprise owners didn’t know the main new rights GDPR gives to consumers. Meanwhile, the ICO reports that complaints of online data breaches were up 160 per cent in the six weeks since GDPR came into force.
Hiscox points out that business owners could face fines from £7.9 million to £17 million if they fail to protect consumers’ data.
Alan Conboy, office of the chief technology officer at Scale Computing, says since the rollout of GDPR, companies are working hard to invest heavily in people, tools and infrastructure to protect valuable data and comply with regulations.
“Ultimately, with data harvesting a fundamental business model for many companies, uprooting and regulating this has, so far, proven to be like trying to drain an ocean with a tea cup,” he says.
There is also a danger that businesses are devoting less attention to the rules now that the legislation has been in force for almost 12 months.
“The reality is that most organisations have done the bare minimum when it comes to data handling and storage,” says Jasmit Sagoo, senior director at Veritas Technologies. “Generally, they’ve aimed to remove risks in two ways. Firstly, by deleting old data that is no longer necessary. Secondly, we’re seeing a lot of websites that have created consent forms, which ask customers to allow organisations to use their data. Rather than correcting underlying data management challenges, these organisations are simply doing just enough to avoid any legal issues.”
Link between data and reputation
Emma Erskine-Fox, solicitor at UK law firm TLT, says: ”A year ago, GDPR compliance was the hottest topic in business. Everyone was talking about it and wondering how it would affect their day jobs. Over time, the hype around GDPR has died down and it’s as if people are suffering GDPR fatigue. This is a real worry for businesses; we’ve spoken to companies that are struggling to keep people engaged and worried about what this might mean for their ongoing compliance, especially with principles like ‘privacy by design’ now being stipulated in law.”
She says training should be tailored to people’s job roles and businesses should consider coupling this with pre-announced spot checks to ensure policies are being followed.
“The Cambridge Analytica scandal only served to deepen the perception among the public that data privacy is a serious matter; their patience with poor data management is fast running out,” says David Smith, head of GDPR technology at SAS UK and Ireland.
“Our research last year found that 55 per cent of consumers had already exercised their new rights, or were planning to do so within the next year, with potentially huge implications for businesses. This is a trend that’s only going to increase as time goes on and the value of data becomes more evident. The task of compliance is becoming more difficult with increased volume, variety and velocity of incoming data along with often undocumented legacy datastores.”
He says that over the last year, the relationship between data compliance and reputation has grown deeper.
“Customer trust increasingly rests on good data protection. Companies with a history of misuse are likely to see an escalation in data removal requests and a dent in their brand. The cost of retention is much less than the cost of acquiring new customers,” says Mr Smith.
New way of marketing
GDPR has changed the interactions between consumers and the websites they browse. Laurence Pitt, global security strategist at Juniper Networks, says one positive, visible change is a general up-tick in data hygiene.
“As users, we are all now familiar with websites requesting cookie access and much easier ways to opt in and opt out of marketing emails,” he says. “This is very positive and I know my email volume has dropped drastically as a result. At the same time, this means businesses need to accept shrinking marketing databases. This change should be seen as an opportunity, rather than a challenge, as an opt-in audience is a lot more engaged and interested to hear what businesses have to say.”
The reality is that most organisations have done the bare minimum when it comes to data handling and storageJasmit Sagoo, senior director at Veritas Technologies
Gemma Bacon, brand and marketing director at Mortgage Advice Bureau, says for many businesses GDPR meant their databases diminished overnight.
“Undoubtedly the pond we’re all fishing in is now smaller, but the quality and therefore conversion are likely to be much better,” she says. “GDPR has helped brands communicate better with customers and produce more genuinely engaging content. Marketing activity has become smarter as businesses not only have to think about who they can contact, but also how they wish to be contacted.”
Sue Lingard, director at Cezanne HR, says there has had to be much greater awareness and understanding around data protection and data rights, both on the employer side and among employees. This has placed extra administration overheads on human resources teams.
“This is alongside the requirement that HR now has to ensure data is deleted or anonymised when it is no longer required,” she says.
Looking to the future
Neville Armstrong, security and compliance manager at managed cloud and IT infrastructure specialist Fordway, says the key thing GDPR has done is to make IT compliance a board-level topic.
“Organisations need to have processes in place for capturing new regulations well in advance so they can incorporate them into their existing governance,” he says. “They also need to ensure they fully understand their organisation’s operating landscape in respect of assets, threats and vulnerabilities, from changes in government policy to cybersecurity risks, and ensure these are addressed in their compliance policies and processes.”
Alex Hollis, governance, risk and compliance (GRC) solutions director at cybersecurity and GRC services provider SureCloud, says there will be more fines to come from the regulators.
“The regulators may then move their focus to mid-tier organisations, which are not as well resourced to fight and likely haven’t taken as many steps around privacy, so as such the impact of the fines will be more dramatic.”
Opportunity or threat?
Sarah Armstrong-Smith, head of continuity and resilience at Fujitsu UK, says: “Economic, environmental, geopolitical, societal and technological threats are evolving on an unprecedented global scale. The sheer volume of connected devices increases the chances of multiple vulnerabilities from a security and privacy perspective, which further exasperates the risks.
“Those organisations that choose to operate from a place of trust and transparency, that do the right thing not because they need to, but because they want to, will achieve differentiation in a digital world.”
It looks like GDPR is just the beginning of the journey that has and will continue to impact all of us, says John Mitchison, director of policy and compliance at the Direct Marketing Association.
“For regulators, GDPR has raised the bar in terms of expectations on how businesses should process consumer data and protective measures they must take to respect their privacy. If other regions across the globe want to share data with the EU, they will need to follow suit and some already have plans to do so.”
The California Consumer Privacy Act, which is due to take effect in January 2020, will significantly limit how companies handle, store and use consumer data, he adds. It is the first US-based law following in the footsteps of GDPR and has led to calls for a similar national framework across the United States.