Since 25th May 2018, the General Data Protection Regulation (GDPR) has dictated how organisations must record, share and process their customers’ personal data. Initially seen primarily as the realm of marketers and CRM administrators, the topic now permeates almost every business, having entirely changed the status quo on data protection.
So 2018 was when the tables turned, empowering everyday consumers to demand companies disclose and delete data previously held secret. The floodgates have now opened revealing just how many organisations continue recklessly collecting, storing, and even sharing customers’ data without blinking an eyelid. Perhaps most eyebrows were lifted by Google being fined £44 million by French regulator CNIL in January.
Consumers have grown sick and tired of the constant abuses. Data leaks such as Facebook’s admission in April that it had "unintentionally uploaded" the email contacts of 1.5 million new Facebook users since May 2016 were followed by an even bigger scandal, which saw the social giant reveal it was storing hundreds of millions of users' account passwords in plain text.
These issues confirmed fears that implementation of the regulation would be a bumpy ride, especially for tech companies operating both in and outside the European Union. What fears and worries have we seen so far?
To whom much is given, from him much is expected
With data comes responsibility and the risk of it being abused by nefarious parties is the daily reality for all organisations. Recent research found the main issues UK public sector organisations hold back from sharing data with others include security concerns at 20%, fear of data loss or breach at 13%, and GDPR at only 5%.
So, although GDPR is a concern for some, these larger fears such as security concerns and fear of data breaches can actually be remedied by the regulation itself. Essentially, by following the regulation, organisations can minimise their risk of data breaches, since the regulation demands:
- Up-to-date security software.
- Third party data security evaluations.
- That vendors and partners maintain high data protection standards and encryption.
- Data backup among other standards.
Research conducted ahead of the GDPR deadline showed it to be the main regulation dominating UK companies at 28% as businesses prepared to comply with it. Yet since then only 4% of organisations stated GDPR had accelerated their data governance programmes. The overwhelming majority, 68%, have had such projects postponed by between one and more than two years by the regulation. This helps to explain why many view GDPR as a hindrance rather than a help; it was a big business priority in 2017 but would become a burden to many as soon as the year after.
Liking and friending could now be seen as anti-social. Social media data breaches accounted for a whopping 56% of the total compromised records for the first six months of 2018. It’s no surprise people are ever more wary of giving away their data to the likes of Facebook and Twitter and some 71% of consumers want social media platforms to safeguard their data.
Financial and moral obligation
Unfortunately, many businesses are driven by financial rather than ethical concerns, meaning large corporations are starting to respect the data rights of consumers only because their hand has been forced, rather than a feeling of moral obligation to do so.
Some critics would argue that as long as data privacy policies are changed in order to benefit consumers it doesn't matter the justification for it. However, in an ideal world it would be perfect if the motivation for these initiatives would be to protect the data of businesses and consumers.
Perhaps data governance is likely to become more efficient if enterprises start to see the value of what they hold. Having data is one thing, but being able to comprehend it is something entirely separate, and research has found that 66% of data leaders in the UK recognise an inability to explain the business impact of insights is keeping them from achieving their business goals.
It could be a transformative aspect of GDPR then, that as the first step to safeguarding the data they hold, it forces organisations to quantify it, in the process making clear the sheer scale, and driving culture change once they understand the monetary side of what they hold.
The Brexit elephant in the room
One year on and Brexit is going full steam ahead - where does this leave GDPR? At the time the UK finally leaves the EU, it will have the choice of whether to continue to adhere to the regulations. There are a number of options for what an alternative would look like.
Even if UK companies want to avoid GDPR, if they sell to one of the half a billion buyers in Europe, they will have to abide by GDPR. However, for those that sell outside of the EU GDPR compliance is not needed.
There are two sensible moves that the UK government can undertake: to create a British equivalent, or simply to continue to abide by its rules. In order for the UK to thrive in the post-Brexit world, one thing is for sure - data capture and governance needs to be highly effective to maintain the UK’s position as a global economic leader
Flexibility is essential
Uncertainty around when Britain will leave the EU following its decision to twice delay, on March 29 and April 12, means British organisations must be flexible in their strategies of adhering to GDPR.
Although it can seem short sighted to conform to a regulation that may not be mandatory in five to ten years time, it’s the change in company culture that matters, and soon enough, the steps to avoid leaking valuable information, suffering reputational damage, losing customer confidence and even future business, will all be second nature.