Exactly one year from today, “the most lobbied piece of legislation in history” – the EU’s General Data Protection Regulation (GDPR) – will be enacted, radically overhauling the relationship businesses have with personal data through a raft of new obligations and consumer rights.
The way firms collect, store, process and protect the personal information of customers, clients and employees is being upgraded to meet the advanced requirements of the digital economy.
New, explicit definitions of consent will be introduced, along with consumer rights to erase, rectify and transfer data, and a common data breach notification requirement – a mere slither of the myriad obligations GDPR legislates.
The regulation drives home the significance of data governance to an executive level: the potential fines for failed compliance, the fallout from reputational damage, and the requirement for some businesses to assign a data protection officer, should be enough to alert the City to its magnitude. And yet survey after survey shows the opposite to be true.
Read more: Protecting data must be board-level priority
“Two things that all companies need to be fully aware of in relation to the GDPR is its sheer scope and the punitive fines for breaching it,” says Guy Marson, managing director of Profusion. “Nearly every company will be touched by the GDPR. It practically makes data management infrastructure a legal requirement”.
The GDPR is an attempt to harmonise disparate data privacy policies across the 27 EU member states. The internet, in theory at least, is not defined by borders, making the transfer of information across jurisdictions privy to an absurd amount of disparate legislation, which the GDPR aims to homogenise.
It’s important to note that the GDPR is a regulation, rather than a directive, meaning it is immediately applicable and enforceable by law, rather than advisory. In the UK, we presently operate under the Data Protection Act 1998, a piece of legislation described by Mark Roy, chief executive of ReAD Group, as having “no place in this very changed and modern way of operating” after “having been sticky-plastered to within an inch of its life in a bid to maintain some semblance of control.”
42 % say that the EU GDPR is not a priority for their organisations.
At this point you would be right to question whether a piece of EU regulation will still be relevant once the the UK has formally left the bloc. It will. The UK will still be a member when the regulation is enacted, confirmed by secretary of state for culture, media and sport, Karen Bradley, who said last year it would be “expected and quite normal for us to opt into the GDPR”. Beyond that, she says, the government will “look how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”
Regardless of Brexit, UK businesses, think tanks and politicians have been a driving force behind devising the GDPR. But that is to miss the point. The GDPR is extraterritorial by nature, meaning it applies to EU citizens wherever in the world they might be. A business in Australia has the same obligations to protect EU citizens’ data as one in Austria.
In practice, although some EU member states, such as Germany, currently have more stringent privacy laws, GDPR will become the highest common denominator, meaning businesses that handle data across international borders will have to abide by it. To call it the “Global Data Protection Regulation” is not so farfetched.
Sheila Fitzpatrick, NetApp’s worldwide legal data governance and data privacy counsel says that it’s “not just building a compliance framework that works in the EU, it’s building a compliance framework that’s global. When you build a programme, you look at the most restrictive programme, and then everything falls down from there.”
The concept of “data governance” is new to many firms, with anything data-related often seen as an issue for IT bods – rather than the board. It’s estimated that 68 per cent of all large businesses, and 52 per cent of small business, have fallen victim to a security attack in the last year. Yet, only 29 per cent of companies have a formal cyber security policy in place.
84% of UK SMEs have still not heard of GDPR
“Interestingly,” says Phil Beckett, managing director at Alvarez and Marsal, “previous data breaches, and the financial and reputational damage incurred, have not made the impact on executives we would have expected. But the new GDPR legislation will make the value of data impossible to overlook.”
The GDPR enshrines in law hefty fines for failed compliance: 4 per cent of global group revenue, or €20m, whichever figure is higher. “This is a significant rise from the previous limit of £500,000. For context, Talk Talk was fined £400,000 for the data breach of its 157,000 customers,” says Beckett. The consensus from businesses over the last year or so is that the EU is going to make an example of a high-profile target – or as Beckett adds: “it’s one thing to put the rules in place, you then have to enforce them to make people realise they are real.”
The banking and financial services sector is widely believed to be the first to be “made an example” of if a breach occurs according to UK respondents of a recent Varonis survey. This is concerning, especially for FTSE firms. Oxford Economics recently examined a sample of 65 “severe” and “catastrophic” cyber security breaches since 2013 across seven global stock exchanges, in order to estimate the effect on share prices. Overall, it said the attacks cost shareholders £42bn.
At present, most UK firms have no specific breach-notification obligation under the Data Protection Act. However, under GDPR, all companies and organisations will have just 72 hours to notify data subjects of a breach – or face a fine.
That’s not half of the issue though. Andrew Rogoyski, vice president of cyber security at CGI UK, estimates that “only around 10-20 per cent of the major breaches companies suffer in Europe are currently made public, so lost shareholder value across European markets could rise by as much as a factor of 10 when the new regulations take effect in May 2018.”
Even if your firm isn’t listed, the reputational damage of a data breach could be devastating. “We can see some consumers are already boycotting companies that mishandle data, so this should be a real wakeup call – particularly when you add that to the potential penalties that could be imposed,” says Rashmi Knowles, field chief technology officer for Europe, the Middle East and Africa at RSA Security. “Organisations can no longer see data breaches as an abstract tech or IT problem; boycotts and penalties are serious business risks and should be a board-level business issue. Make no mistake, there will be businesses that will never fully recover from such a fine, if they don’t go out of business entirely. We will all know of the GDPR then.”
So executives – now is the time to listen. But amid Brexit and myriad other incoming regulations, such as MiFID II, UK firms are unprepared. “It’s worrying that with only a year to go, many organisations still have a lot to do,” says Mark Thompson, global privacy advisory lead at KPMG. “The truth is that many just don’t understand what they have to do – and how to deal with it.”
For example, UK businesses are more likely to allocate no budget to GDPR compliance than peers in the US, France and Spain, according to a survey from Blancco Technology Group. “Lack of leadership in some businesses means that implementing the new regulations has not received the level of attention that it requires,” says Emma Carr, at Hanover Communications. “They often lack the experience and understanding of issues like data protection, meaning that they simply don’t know where to start in addressing this as an issue.”
Many of the practices identified as unacceptable are fairly commonplace in the UK – but not in somewhere like Germany, or Estonia.
Recent guidance from the Information Commissioner’s Office (ICO) raises a pertinent point, which goes part of the way to explaining why the UK is lagging. Many of the practices identified as unacceptable are fairly commonplace in the UK – but not in somewhere like Germany, or Estonia. It’s far easier for some member states to comply with GDPR than others – to harmonise – yet we all have the same timeline.
Where to start?
The consensus six months ago was that 18 months wasn’t enough time to prepare for GDPR. In terms of size and scope, the task is comparable to the changes Brexit demands.
“The starting gun has officially been fired,” says Jamie Graves, chief executive at ZoneFox. “And one thing is for sure: from day one, the EU will not be accepting excuses. They believe organisations have had more than enough time to prepare. Those companies that haven’t started to unravel what GDPR means for them need to get proactive. GDPR is all about data, and that’s where companies need to start. It is imperative that they have a full, 360-degree view of data entering, leaving and being stored within their business.”
Of course, any restructuring has financial implications – some large organisations will “have to invest millions to ensure compliance with the GDPR,” says Richard Stiennon, chief strategy officer at Blancco. “The investment will include recruiting, hiring and training personnel, starting with the appointment of a data protection officer. And that’s without spending time, resources and money on implementing new technologies and processes, new End User License Agreements that state the purpose for data collection, new security practices around data protection, and the proper management of data throughout its lifecycle. There won’t be a magic bullet to ensure compliance – companies will have to put in the work and work at it on an ongoing basis.”
The mandatory appointment of a data protection officer for public authorities and businesses which carry out large scale systematic monitoring of individuals is a major change.
A report by the International Association of Privacy Professionals estimates that businesses around the world will have to appoint at least 75,000 data protection officers to help them comply with the many complex requirements of the GDPR.
Rob White, director at recruiter Page Executive says: “What’s interesting, is the increased number of senior technology contractors becoming GDPR experts, as they’ve recognised there will be an high demand in the coming months. We haven’t yet seen an increase demand for data protection officers, which is surprising – if not a little concerning. Many clients are only just formulating their response.”
Is it a good thing?
The reaction to the regulation has been nuanced – some think it is overdue, a step in the right direction, and an opportunity to weed out malicious actors. Mark Roy at ReAD is one of them. A former chair of the Data Counsel, in 2011 he was heavily involved in terms of the discussion around the first draft of GDPR, which he says “was a ‘pack your bags and go home’ moment, it really was. Had it gone where they were heading it would have been disastrous.”
But the final version presented in 2016, he says, will fundamentally change the relationship businesses have with consumers. “Elizabeth Denham said something interesting a few months ago,” says Roy. “That ‘if you feel uncomfortable about asking consumers to do something, then you probably shouldn’t be doing it.’” GDPR is an opportunity, he thinks, to “ treat consumers in an appropriate and relevant way. And GDPR we hope, and think will deliver a consumer that, because they know how their data is going to be used, who’s going to use it – and what for – is going to be more trusting.
“The more that the public becomes educated on their privacy rights, the more companies are going to have to take it seriously,” says Netapp’s Fitzpatrick. “Because when push comes to shove, if I’m doing business with an organisation, I’m going to do it with the one that respects my privacy – that fundamentally believes in the right to privacy – versus a company for which it’s an afterthought.”
“GDPR will fundamentally change how businesses can use consumer data,” adds Liz Brandt, chief executive of Ctrl-Shift. “However too many big businesses are treating the regulation as either a nuisance or a terror. They are moving too slowly to be ready for GDPR’s introduction, or are viewing it as a tick-box compliance exercise. Both approaches are expensive, misguided and wasteful.”
“Data can be so valuable in terms of sales generation, customer insight and business strategy, so why then, is it not considered as valuable as productivity?,” asks Beckett, at Alvarez and Marsal. “With the GDPR transformation coming in, this attitude will need to change and data will be recognised for the value it holds. This evolution in approach should drive a revolution, otherwise firms will need to bear the burden of the consequences.”
Many are already considering how GDPR can be used to gain advantage over competitors. Kevin Isaac, senior vice president for Europe, the Middle East, and Africa at Symantec, says that “GDPR offers a major opportunity for a business to take a totally new and improved approach to how it manages data throughout its lifecycle.”
By enabling consumers to withhold and withdraw their consent, GDPR puts a high price on consumer trust.”
Brandt adds that “by enabling consumers to withhold and withdraw their consent, GDPR puts a high price on consumer trust.” She adds however, that new, creative ways of using data can improve the services a firm offers. “In return for giving consent, consumers will expect something in return which saves them time or money. The businesses that get this right will have a two-fold competitive advantage. They will be delivering market-leading services and, in turn, they will have more access to data than their competitors.”
It will redefine the consumer relationship as a two-way street, she says: “businesses cannot have it all their own way. They need to think about joint value, so that they, and the consumer, benefit. Those that do this will be rewarded. Those that don’t could be tomorrow’s Blockbuster, Woolworths or Yahoo.”