We spent years ominously assessing the uncertainty around the General Data Protection Regulation. The deadline came and went with great fanfare, and we are still here. Six months on and significant shifts are afoot as business and consumer awareness of data privacy evolves, data breaches continue to dominate headlines and the GDPR gets to throw its weight around. So, what have we learned, are we really all on the same page and is it plain sailing from here?
To get a full view on the impact of GDPR, we need to take a macro and a micro view. There is no doubt that Europe’s approach is being viewed as best practice around the world, with GDPR being regarded as a blueprint in the US – which is now looking at its own federal regulation following the passing of the California Consumer Privacy Act, this June. But in terms of how we are actually adapting in the UK and what it means for industry, we need a more granular view.
It is true that in the build up to the passing of the GDPR, hefty fines and reputational damage haunted businesses. When we surveyed UK companies in April 2018 – just before the GDPR deadline -, 56 per cent said that their company’s reputation would suffer as an impact of non-compliance with the regulation. At the time, 47 per cent were concerned about revenue loss, and 41 per cent thought their company survival was at stake due to potential financial penalties. We can now see that these concerns united the C-suite and IT decision makers as awareness grew. Six months on and we are starting to slice through the hype.
While businesses and consumers alike grapple with the logistics – clunky and often irritating online pop-ups alerting us to our right to ‘opt-out’ – as predicted, the number of data breach notifications has significantly increased. The Information Commissioner’s Office (ICO) reported 367 data breach notifications in April, 657 in May and 1,792 in June. Between July and September, the ICO reported a total of 4,056 notifications. Far from highlighting flaws in the system, it reflects a fresh, cautionary approach that makes it less likely for a breach to slip through the net. It also means that those compliance processes are working.
A stepping stone
Meanwhile, large scale data breaches, like the recent mammoth Facebook data breach exposing the personal data of tens of millions of users, are now perceived with much more clarity by consumers. They are now awake and more aware of their data rights. This only makes the reputational risks of non-compliance more significant. Big tech firms are paying attention, and the US’s move towards its own federal regulation is indicative of this.
Ultimately, GDPR compliance boils down to competitive advantage. Those that want to thrive, not simply survive in the data-driven world have to put consumer data privacy first. The survey we conducted six months ago found that three quarters of UK businesses believed GDPR would improve their competitiveness, and with increasingly data savvy consumers, they were not wrong. Major data breaches making headlines in the last months build into this narrative. Handling this through the adequate management and protection of data wherever it lives, on-premises or in the cloud, is now of the utmost importance for companies.
Taking an even more granular view, the Financial Services Industry was one of the best placed to weather regulatory changes. With the sensitivity of financial data and recent history, it had benefitted already from heavy regulation. Six months after the introduction of the GDPR, initial confidence and high levels of understanding of the business-critical nature of data uncovered in our April survey rings true. At the time, 88 per cent of IT decision-makers in the Financial Services Industry thought that GDPR compliance would give them a competitive advantage. This was mirrored by high levels of confidence in achieving compliance, with almost all FSI businesses (96 per cent) saying they knew where at least some of their data was stored – a key requirement for GDPR compliance.
Of those 4,056 data security incidents reported to the ICO between July and September this year, 293 were due to disclosure of data and 145 were security incidents in FSI companies. These figures could also be attributed to a more cautionary approach to potential breaches, because of greater awareness. Either way, GDPR represents a stepping stone in the quest for greater transparency around data management and protection, regardless of where that data lives: on-premise or in the cloud. This will help FSI to digitally transform, with the confidence of their customers.
Cause for concern
Meanwhile, the GDPR is especially important for the healthcare sector, due to the nature of medical data, which accounts for the highest number of incidents reported to the ICO between July and September 2018. This is perhaps indicative of the high sensitivity around the data being handled and once again extra cautionary approaches around reporting following the 25th May GDPR compliance deadline.
However, with 420 incidents of data disclosure and 190 security incidents reported, it is also a cause for concern. GDPR is an essential tool, helping data-driven healthcare businesses to optimise patient care with digital transformation. But trust sits at the heart of this transformation and GDPR provides the vital key. While the number of incidents demonstrate the effectiveness of the regulation, they also demonstrate the need for it.
Looking ahead, with the diverse possibilities of innovative technologies set to transform healthcare, evolving data management practices to not only comply, but to perfect data privacy protection will be essential.
It is clear that businesses and consumers across sectors – and even continents – have learned a great deal about data privacy. We are alert, reactive and aware of the consequences of non-compliance. As is to be expected, different industries are evolving according to their unique needs. All data may not be equal, but consumer privacy as a human right is. This is just the beginning of our journey, towards a better, more transparent data sphere, laying the grounds for consumer trust and sealing the success of future technological innovations.
Martin Warren, Cloud Solutions Marketing Manager, EMEA,NetApp
Image source: Shutterstock/Wright Studio