Next May, the first update to UK data protection laws in almost 20 years will finally come in to force as the General Data Protection Regulation (GDPR) replaces the 1998 Data Protection Act (DPA) to give European citizens more say over how their data is used.
The update has been a long time coming, as decades of advances in technology have led to our personal data being used in ways that could not have even been imagined when the original data protection rules were put in place
Today Data Subjects – that’s the privacy laws way of referring to you and me - can request a copy of information that is being held by an organisation through Subject Access Requests (SARs). At the moment, you can ask for information but a company can take up to 40 days and they can charge you a fee.
The GDPR is designed to give citizens more control of the information that companies hold on them and how that information is used, and so from May, ‘Data Subjects’ will be able to ask, free of charge, for all the information held on them and receive it within 30 days
Of course, it is anticipated that when the service becomes free - and more publicised - more people will use it. Why wouldn’t you run a speculative request? You have nothing to lose.
Businesses have since scrambled to understand how many SARs may be raised. Not only will it help them work out how much resource they will need to process requests, but whether they can afford it.
But, we know from experience, it’s a very difficult question to answer and current data on how many SARs are raised is limited. If you are already handling requests you have a reasonable indicator from which to run your estimates. But even for these companies it’s proving difficult to gauge. We know because people ask us how they should go about estimating it.
The Information Commissioners Office, although a brilliant resource for planning, has no guide to helping companies set a figure to work with. It doesn’t have any historical data to offer.
The ICO will be running a campaign in the spring to tell the public about the changes. The truth be told, it won’t be until the publicity machine starts that we will really start to see how the public will respond. But that’s six months away. CEOs can’t wait that long.
So to close the knowledge gap we asked what the public would do if GDPR was launched tomorrow. The results were telling and say a lot about how we live our lives; although SARs have been around for almost 20 years - they were created under section 7 of the DPA - only 12.7 per cent of more than 1000 UK adults surveyed said that they understood what a SAR is. But once the terms were explained, 57 per cent of those surveyed said they would want to submit a SAR.
The financial sector is likely to be hardest hit by the regulation changes, with 32.7 per cent of people stating they will be prioritising their bank and 16 per cent their credit card provider. According to recent banking statistics, this could equal approximately 21 million active current account holders. That’s quite a crunch point.
Of course, banks aren’t alone in the sector, 8 per cent of people will target their insurer. That sounds small but in real numbers, using figures from the ABI, that means around 1.6 million home contents policy-holders, 1.3 million building insurance policy holders and 1.6 car insurance policy holders may raise a request.
Banks were followed by the companies that are intrinsic to our lives - social media platforms would be asked by 16.4 per cent of their base and more than one in 10 people (11.3 per cent) would request data from their mobile phone network provider – that’s around 9.5million of us.
The results are an early indication of the impact the ICO will have on public knowledge when it starts to communicate the changes in spring 2018, and should act as a warning to every business to get their data house in order. Without a plan in place to discover, categorise and secure data, organisations will potentially be vulnerable to hefty fines if they are unable to comply with requests.
We’re all becoming increasingly aware of the data collection culture that exists within many businesses, whether its organisations that are bound by law to do so or those that want to peek into our daily lives to spot trends and develop new products to offer customers.
But the true extent to which data is harvested and stored can be staggering.
When an Exonar employee asked their bank - with whom they have been a customer for 20 years - for the information they held on them, the copy amounted to eight reams of paper, about 4000 sheets.
It’s not surprising that when people are told that their bank could hold that much information on them they are stunned - almost a fifth of respondents said they were shocked and over a quarter said they are worried about the security of their data and potential for it to be hacked, stolen or leaked.
Even more (27.4 per cent) were concerned that their data may be on databases that could be sold onto third party companies, with question marks over the safety and privacy of that data.
Under the GDPR, organisations will have to declare a security breach or loss of data within 72 hours of it happening. That’s a big step forward when you consider the scale of breaches we have witnessed in recent months - there’s no greater incentive than profit and reputation to focus the mind of the directors on getting data security right.
The ICO is already making examples of companies who breach the Data Protection Act and with the tougher penalties under the GDPR, it’s expected that they will continue - and possibly even ramp up their efforts - come May next year. Indeed, the results of the investigation the ICO has launched into Uber’s latest admission will tell us everything we need to know on the line they will take.
Getting GDPR right
So with the GDPR only a matter of months away, what should organisations be thinking about in order to make the most of the time they have before the ICO starts its consumer publicity campaigns?
Well, if the ICO succeeds in raising consumer awareness then the floodgates will open. Businesses really do need to ensure their data is organised and categorised.
Preparation is absolutely vital in achieving GDPR compliance, but it can also help to improve the overall efficiency of an organisation, so planning should be taken seriously as it will be beneficially in ways that may not have been first expected.
For many organisations, preparation for the GDPR will involve embarking on a period of education to fully understand the regulation and the process change it requires.
Many companies are well on their way with some 77 per cent of companies stating they will be ready. But 16 per cent of companies are falling behind admitting they have a plan but have not started it yet, because they lack the funds, don’t have time to do it, or in around 20 per cent of cases they simply don’t know where the data is.
Uber’s case must surely be a jolt to get on with finding the cash and resource, as should the examples of smaller companies that have found themselves in the ICO spotlight. Size won’t matter when privacy prevails.
It won’t come as a surprise when I say that going digital should be at the heart of any GDPR strategy. There are new tools that can help with data discovery and uncover data that you may not even have known you had – offering not only a great start to GDPR compliance but also the opportunity to uncover and resolve data that is ‘hiding’ throughout a network.
New techniques such as Big Data and Machine Learning can make the journey to compliance a simple one by categorising data from highly sensitive to public so that it’s not just easy to find but protect as well. What’s more, the latest data mapping solutions make the process of finding and retrieving information quicker and cheaper to do on a continuous basis, rather than as a one-off project.
And that’s the key – the GDPR is a chance to create a long-term view of data and its value. It’s not a chore if approached with a broader view of the business benefit it will bring. When understood properly, categorised and made easily accessible, data can be used for a whole host of marketing and sales projects that really propel the organisation into a new era of customer engagement. Customers won’t thank you for a lax approach to managing their personal details, they may however, thank you with their cash if you offer them services they really want.
Adrian Barrett, CEO, Exonar (opens in new tab)
Image source: Shutterstock/alexskopje