The European Union’s new data protection regulation, the GDPR, gives EU citizens ultimate control over their personal data. But when did we lose control? And why?
In the second of a two-article series Ben Gould, Managing Director, EMEA & APAC, Opus Global, examines how social and economic evolutions around the globe have been the catalyst driving the necessary change in regulation.
The GDPR brings data protection in line with the world we now live in, from a number of perspectives:
Our world has shrunk. Companies are increasingly outsourcing to third parties globally. eCommerce means that we can buy what we want from where we want at the click of a button. Social media lets us share minute details of our daily lives with friends and strangers alike. Your personal and financial data could be sitting anywhere in the world, possibly in countries where data protection isn’t a high priority.
For this reason, the GDPR applies to all companies that touch the personal data of EU citizens, no matter where in the world they are based.
Our daily online activities leave behind a digital footprint – one that’s getting bigger and richer the more we work, shop and socialize online. And the data we share goes far beyond the information we type into forms. Companies capture a wealth of information about us in the background, including location, IP address and cookie data. All of this paints a very clear picture of who we are, what we enjoy, what we like buying and how we like buying it and much, much more.
This information is used by companies to their advantage – to guide product development, enhance customer service and target advertising and marketing – but some companies have fallen into the trap of collecting data about customers and prospects ‘just in case’ it could be of use.
The financial penalties under the GDPR are a reason for companies to stop and think about the data that they collect, and ask themselves why they need this information.
J.D. Weatherspoons, a UK pub chain, recently announced that it had deleted all customer emails from its database. The news generated a slew of articles speculating that this decision was related to the GDPR (Weatherspoons suffered a data breach in 2015), though the company’s CEO stated that Weatherspoons had made a decision to move away from ‘intrusive’ email marketing and use social media to communicate with customers instead.
Whatever the reason for Weatherspoons’ actions, the fact is that under the GDPR companies will need to be clear about what data about customers, and will need to decide on whether the risk is worth the potential reward.
Identity is the new currency, and as individuals we’re becoming more aware of the value of our personal data to the companies we interact with. Many of us are thinking harder about whether we want to share our data, and whether we do or not usually depends on the value that we can expect to receive back.
Our personal data has a significant value on the Dark Web too, and we have a right to expect the companies that collect and process are data to keep it safe. If they don’t, many of us will talk with our feet: a 2016 survey of US consumers by FireEye found that the vast majority (76%) would move away from companies with a high record of data breaches. 72% also said they now share fewer personal details with companies – not a good statistic for business.
The GDPR recognises the importance of the sharing of personal data in today’s business environment. The regulation gives more savvy consumers far greater control over their personal data – including the right to access the information a company has about them, the right to have this data corrected or deleted, as well as rights relating to automated decision making and profiling.
Cybercrime experts take the view that it’s a case of “when, not if” a company will suffer a data breach. Current figures back this up with the number of breach incidents rising steadily.
This trend isn’t surprising when you consider that the size of fines under the existing Data Protection Directive don’t make a dent in the revenues or profits of most of the companies that have been subject to regulatory action. In the UK in 2016 the Information Commissioner’s Office (ICO), the regulator for GDPR, issued £880,500 in penalties. Had the GDPR been in place this figure would have been a staggering £69 million, according to the NCC Group.
The GDPR will have teeth, and penalties that could potentially put companies out of business, and companies will now have to ensure good data practices are top priority.
Our personal data is touched by many companies, not just the companies we directly interact with. Under the current EU Data Protection Directive only the data controller (the company, or any entity, that determines the purposes for which, and the way in which, personal data is processed) is liable for compliance. However, in many instances the data controller will use other companies to actually process our data, for example, data analytics firms or market research organisations.
Under the existing laws, the controller will often seek to protect itself from risk by passing compliance responsibilities to the processor as part of the data processing agreement. However, under the Directive, supervisory authorities have no direct enforcement powers against processors.
The fact is that personal data is personal data and needs to be protected by every party touches it, and The GDPR brings data processors firmly into the fold. They will need to ensure full compliance with all requirements or face the same fines and compensation claims as controllers. Controllers will no longer be able to pass on compliance risk onto their data processors and will be responsible for ensuring that any third parties that have access to their data are acting in strict accordance with the data processing agreement.
There’s no time like the present
The GDPR is a comprehensive update of the EU’s data protection laws. While it may feel like an overwhelming challenge if you’re responsible for ensuring compliance within your organisation the long term benefits will be tangible to both businesses and consumers.
Having full control of their personal data and knowing that it is being treated as a valued asset by the organizations they interact with will address the increasing caution with which consumers share their data. And, by making companies think twice about whether they actually need to gather that piece of data about their customer, the GDPR will ensure that the true value of an individual’s personal data is recognised, and that data is protected accordingly.
Time flies, and May 25, 2018 deadline is going to come around quickly. If you haven’t started getting your GDPR house in order, the time to start is now. And if you think you have you’re ready, you might want to take time to review your plans again. A recent study by Veritas Technologies found that of the 31% of respondents who believed that their companies were in compliance with the main requirements of the GDPR, only 2% actually appeared to be.
If you need more information on the GDPR, we found these resources useful, and you might too:
Ultimately, the GDPR is designed to protect businesses and consumers, and to free them to take full advantage of the opportunities of global business and commerce.
Part one of this article, The impact of GDPR: What are the regulation's objectives? is available now.