Consumer power means businesses have more to worry about from the GDPR than fines

A number of high profile data breaches have hit the headlines during the course of 2017. The compromise of mobile phone operator Three’s subscriber base, and Yahoo!’s admission that millions of its users’ accounts had been unlawfully accessed – twice – are but two examples. Add to these the exposure of millions of Verizon’s customer records, and the recent hack that exposed the data of 57 million Uber users and drivers, and the list goes on. Indeed, such events have now become so commonplace that even the fallout from the massive Equifax data breach, that took place in the summer, is fast becoming a distant memory as it is overtaken each day by newer, higher-profile revelations.

It’s hardly surprising then to learn that members of the public are becoming increasingly concerned about the privacy and safety of their personal information, particularly online. In fact, our own recent research into consumer perceptions around data privacy, and the impending EU General Data Protection Regulation (EU GDPR), exposed that half of UK consumers claim that they no longer trust anyone with protecting their personal information – a worrying revelation for any organisation capturing European customer data.

A similar number professed a belief that businesses don’t care enough about their digital privacy. Perhaps due to the slew of recent data breaches, just one in five consumers claimed to trust financial institutions with their personal information, and only a quarter said that they trusted healthcare providers. However, the retail industry was viewed particularly poorly, trusted by only six per cent of UK consumers. And when you consider the findings of our 2017 Data Threat Report, published earlier this year, there would appear to be a good reason for this apparent lack of trust. According to the retail-focused report, two in five retailers across the globe have experienced a data breach in the past year, with a third suffering more than one.

Of greater concern, however, is the fact that three quarters of the survey’s respondents believed that their personal information had been made available for sale online by cyber-criminals, or for other nefarious purposes. It comes then as no surprise that the natural reaction from consumers is to banish all trust for those in the retail industry.

Despite these gloomy reports, however, there is some good news. The research also revealed that, with the EU GDPR due to be fully implemented in just a matter of months, three quarters of consumers believe that increased regulation will improve the privacy of their online data.

Putting organisations under considerable pressure

The EU GDPR comes into force on May 25th, 2018, and will bring with it the potential for crippling fines of up to four per cent of annual turnover or 20 million euros (whichever is greater). While these most extreme penalties will be reserved for only the most flagrant and gross breaches and are unlikely to be levied soon or lightly, their spectre is putting organisations under considerable pressure to ensure that any data they hold on their EU-based customers is safely and securely processed.

These new provisions and tight controls clearly demonstrate just how seriously regulators are now taking the issue of consumer privacy, and also the perils that await unprepared businesses. However, eye-wateringly high financial penalties aside, non-compliance with the EU GDPR could also place organisations at risk of reputational damage, loss of business, and even legal action from consumers. After all, one thing is clear: when the EU GDPR comes into force next year, consumers will hold the power.

Not only will the new legislation give them the right to ask what personal data an organisation holds, where that data is held, and who it’s being shared with, but it will also give consumers the right to ask for that data to be removed entirely from an organisation’s data stores.

The risk that this consumer power represents may be even more troubling for businesses than any fines that could be imposed by regulators.

According to our survey, over a third of consumers in the UK have heard of the EU GDPR, and two thirds of these are able to explain the regulation to some degree. This level of awareness by consumers, combined with an evident growing concern around their own data privacy, means that businesses will face the risk of their customers taking matters into their own hands. Two thirds of consumers, for example, suggested that they might report an organisation to the relevant industry body if they were found not to be complying with the EU GDPR, while three in five said that they would actually consider taking legal action against a non-compliant organisation.

GDPR is more than just a change of legislation

Digital privacy is now top of mind for consumers and business alike. Law firms and compensation companies are beginning to focus their efforts on fighting for consumer rights, and organisations could soon find themselves facing multiple legal challenges in addition to the potential hefty fines levied by the regulation, some of which will undoubtedly achieve national media attention.

But the EU GDPR should be considered as being more than just another change of legislation. While there’s no denying that its implementation will bring businesses a number of pain points, red tape and additional administrative concerns, it will also offer more forward-thinking organisations an opportunity to promote themselves as being trustworthy; a significant point of difference in today’s competitive marketplace.

The safety and protection of consumer data is of paramount importance in a climate in which high profile data breaches are occurring on an almost daily basis. Customer trust and loyalty are crucial to the success of a business, so any organisation that has put in the time and effort to prepare for the May 2018 deadline will have a much greater shot at success than their competitors.

The EU GDPR well and truly puts the onus on businesses to get their houses in order and, while there may still be time to ensure that they’re fit for GDPR, that time is quickly running out.

Jon Geater is CTO at Thales eSecurity
Image source: Shutterstock/Wright Studio