Companies now have under one year to comply with “the most lobbied piece of legislation in history” – the EU’s General Data Protection Regulation (GDPR). This will materially change the relationship businesses have with people’s data through the many new obligations and consumer rights that the regulation enables.
The way firms collect, store, process and protect the personal information of customers, clients and employees is being upgraded to meet the advanced requirements of the digital economy.
New, explicit definitions of consent will be introduced, along with consumer rights to erase, rectify and transfer data, and a common data breach notification requirement, are only a handful of the many obligations that GDPR requires of us.
The regulation drives home the significance of data governance to an executive level, the potential fines for failed compliance, the fallout from reputational damage, and the requirement for some businesses to assign a data protection officer.
However surveys show that although almost every company will be touched by GDPR, many organisations are not aware or do not seem to be concerned about taking action to ensure compliancy, which given the scope of activity required and the potential punitive fines for breaching GDPR, is on the face of it alarming.
- 42 % say that the EU GDPR is not a priority for their organisations
- 84% of UK SMEs have still not heard of GDPR
What is GDPR?
The GDPR is an attempt to harmonise different data privacy policies across the 27 EU member states. The internet, in theory at least, is not defined by borders, making the transfer of information across jurisdictions privy to an absurd amount of disparate legislation, which the GDPR aims to homogenise.
Furthermore, GDPR is a regulation rather than a directive, meaning it is immediately applicable and enforceable by law as of 25th May 2018. In the UK, we currently operate under the Data Protection Act 1998, a piece of legislation that is over 20 years old, constructed at a time when the likes of Facebook, Snapchat & Instagram had not even been thought about and as such, is not fit for purpose in the modern world in which we live.
Note: Before people cite Brexit as being a reason for not having to take action, this WILL NOT make a difference, although this is the subject for a subsequent blog as to the exact reasons why.
People will focus on the hefty fines for failed compliance that the GDPR will impose, namely up to 4% of global group revenue, or €20m, whichever figure is higher for the most extreme cases. However, although these are of concern, increasingly it will be the reputational damage of a data breach that could be devastating. This could lead to some consumers boycotting companies that mishandle data and looking for individual compensation as a consequence. People have likened this to the PPI situation that financial institutions have been experiencing over the last few years. Organisations can no longer see data breaches as an abstract tech or IT problem, as boycotts, penalties, compensation claims are serious business risks and should be a board-level business issue.
At present, most UK firms have no specific breach-notification obligation under the Data Protection Act. However, under GDPR, all companies and organisations will have just 72 hours to notify data subjects of a breach, or face a fine. Could you currently spot it, analyse it & invoke a process to resolve the issue, notifying all people impacted in a timely fashion? It took Yahoo 3 years to do this for some customers…
What do you need to do?
The regulation, although introduced in May 2016, is not enforceable until May 2018, with less than a year to go and much to do for organisations to ensure compliancy. It is generally accepted that the EU will not be accepting excuses. They believe organisations have had more than enough time to prepare, well 2 years to be precise. Those companies that haven’t started to unravel what GDPR means for them need to be proactive. GDPR is focused on personal data and that’s where companies need to start. It is imperative that they have a complete view of personal data entering, leaving, being stored within their business, who owns that data, how it is being managed and for what purpose.
This will fundamentally change the relationship businesses have with consumers and Elizabeth Denham (the ICO Commissioner – in short the person responsible for enforcing GDPR in the UK) said that “if you feel uncomfortable about asking consumers to do something, then you probably shouldn’t be doing it.” She goes on to say that “if your organisation can’t demonstrate that good data protection is a cornerstone of your business policy and practices, you’re leaving your organisation open to enforcement action that can damage both public reputation and bank balance. But there’s a carrot here as well as a stick: get data protection right, and you can see a real business benefit.”
So GDPR should also be seen as an opportunity for organisations to explain to customers how their data is going to be used, who’s going to use it and what for, which will allow for a more trusting & engaging customer relationship. The more that the public becomes educated on their privacy rights, the more companies are going to have to take it seriously, because if I am engaging with an organisation, I’m going to do it with the one that respects my privacy and that fundamentally believes in the right to privacy, as compared to one for which it’s an afterthought. By enabling consumers to withhold and withdraw their consent, GDPR puts a high price on this consumer trust, so moving forward, ignore this at your peril.
Read the ICO's Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now for more details on what your business needs to do.
About the Author
Alistair Cole is a partner in Ixium Group, an organisation that has a core focus on helping organisations make sense of the General Data Protection Regulation and provide practical and pragmatic approaches to moving forward, providing a roadmap to compliance.