Brexit is likely to affect many businesses, but to what extent will remain unclear for some time. However, there are some protocols already set in stone for companies to uphold and even implement regardless of the implications of Brexit. The General Data Protection Regulation (GDPR) is one such example, as it will come into force from May 2018.
From the day GDPR goes live, companies will need to be transparent when they are requesting personal information, informing the individual of where their information will be stored, and how they intend to use the data. The new regulation offers an extra level of data security to protect the consumer. This comes in response to businesses storing an increasing amount of personal information.
The digital transformation that many companies and industries are undergoing generates an increased need for a higher level of data security, something underlined by high profile data leaks. We see the recent example of TalkTalk receiving a record fine of £400,000 from the Information Commissioner’s Office (ICO) following a cyber-attack on 157,000 customer account (4 per cent of their total customer base).
Unaware of the dangers ahead
Against this backdrop, it was inevitable that regulators would turn their attention to the collection, storage and use of personal information.
Although companies worldwide have more than a year to meet the GDPR requirements, very few are prepared and many are not even aware it will affect them. UK firms will not have an exit route via Brexit from the lengthy obligations and complex processes required to comply with GDPR. Companies that hold information on EU citizens, whether they are located in an EU country or not, must adhere to set standards that will make them fully transparent to their customers and regulators.
The standard practices some firms have today for obtaining consent to hold and use information may not fulfil the GDPR criteria. As a result, most businesses face a breadth of tasks to complete before the regulation applies from 25 May 2018. Companies are increasingly aware they should review their data security, but GDPR will formalise this by enforcing a full audit in order to become compliant.
Worryingly, only 42 per cent of consumers currently notice requests for personal information according to our recent research, highlighting the need for firms to update their consent processes ahead of the regulation coming into force.
While there may be much for firms to do in advance of the regulation coming in and compliance costs may seem high, the costs of failing to be ready for GDPR are far higher. A breach could cost firms a hefty fine of either €20 million or 4 per cent of annual worldwide turnover, whichever is the higher.
To help firms get GDPR ready we have created a checklist advising on the key areas firms need to start analysing and where they may need to implement changes.
- Handling Consent: Some organisations have consumer consent policies in place that will not meet the GDPR requirements. If it is not clear to customers how firms will use their data, the company handling that data faces potential fines. Firms must look at their consumer consent profile and understand what it is, how they are using data for profiling and how that aligns with the consent obtained. Each firm will also be responsible for also auditing their partner organisations and suppliers to be confident they, in turn, are also compliant and can defend themselves if there is a suspected breach.
- Data Protection Officer: Many organisations will be required to appoint a Data Protection Officer (DPO) in an independent role who reports to the highest level of management. The DPO will be responsible for monitoring compliance with GDPR, advising on data protection impact assessments, training staff and ensuring the organisation is handling data requests appropriately. Organisations need to identify the correct person for the role and make sure the DPO has sufficient resources and authority to perform their duties.
- Suitable Technology Systems: Organisations must audit their existing systems to check whether they have the right technology to comply with GDPR. After review, firms must decide whether they need to install new technology or update existing systems to be compliant.
- Vendor Management: An organisation’s suppliers must also comply with GDPR. Firms must audit their suppliers to ensure they are complying with GDPR, are financially robust and will stand up to regulatory scrutiny if a breach occurs.
- Individual’s Rights/Data Landscaping: Under GDPR, firms must be able to respond to data requests from individuals and therefore need to know how and where they hold all customer information.
- Data Protection by Design/Accountability: Organisations must implement processes so that they understand what data they collect, where they store it, with whom they share it, to which countries they transfer it and how long it will be until they delete it when no longer needed. Organisations must be prepared to prove these processes are in place to the satisfaction of a regulator.
While there will be an initial burden on firms to meet the GDPR it could also create a significant competitive advantage to those that move swiftly. GDPR will mean firms have greater oversight of the information they hold and they will have greater insight into the behaviour of their customers.
They will also gain a better understanding of how to deploy their workforce to achieve operational efficiencies. Ultimately, if approached in the right way, GDPR can open up considerable opportunities for businesses that are prepared for the new regulations.
Image source: Shutterstock/Wright Studio
Ruaraidh Thomas, Managing Director of Applied Analytics at DST