Skip to main content

The GDPR: The Raison D'être behind the new regulation

(Image credit: Image source: Shutterstock/Wright Studio)

Dr Guy Bunker, SVP of Products, Clearswift explores the reasons behind why the GDPR is coming into effect and the problems it will solve for individuals and businesses alike.   

The one-year countdown to the European Union’s most significant cross-border data protection regulation is ticking by swiftly. Coming into enforcement from May 2018, the EU General Data Protection Regulation (GDPR) will profoundly alter the way businesses and consumers look at the data they hold. Being informed about why it’s coming into play and what the regulation is solving will help both organisations and individual citizens understand how they should approach data protection, whether this is becoming GDPR compliant or understanding their new data privacy rights.   

Up until the proposed GDPR, businesses operating in the EU worked under inconsistent data protection regulations, varying from country to country. A UK based marketing agency that sent its contact lists to telesales firms in Germany or Spain would have to understand the different data laws of each individual nation and adapt their processes accordingly, in many cases hiring consultants to ensure they complied with the appropriate regulations.   

IT systems support is another common cross-border sector, with many SMEs outsourcing to an external provider. An IT company based in France, providing systems support across the EU would have to allocate additional time and resources to understanding the patchwork of individual national laws for processes such as handling employee data, customer details or even payment transactions. A single, one-stop-shop regulation for all organisations to comply with will not only save time and resources, but will make it easier to conduct business within the EU; according to EU figures, having a blanket law on data protection will save the market an estimated €2.3 billion annually.   

A consistent all-encompassing regulation that reduces demand on company resources is not the only factor behind the introduction of the GDPR. As the constant flow of data transcending national boarders makes adapting to individual laws both difficult and time-consuming, self-regulation has become almost non-existent, with many businesses paying lip service to the ‘guidelines’ provided by countries. Research from PwC’s economic crime survey 2016 reveals that as many as one in five businesses in the UK have not carried out a single fraud assessment in the last two years, despite the fact that fraud and other economic crimes are increasing. With the implementation of the GDPR, organisations will have to demonstrate the systems and processes they have in place to protect customers from fraud. With the threat of a substantial fine looming over their heads if they fail to comply, more organisations will take measures to ensure they have appropriate measures in place to protect their customers from fraud and any other exploitation which could occur. 

Financial scamming has become an epidemic and according to Financial Fraud Action, over a million cases of card, cheque, phone or online fraud were recorded in the six months from January to June 2016 – a 53% rise from the same period in 2015. Email deception, as well as phone and text-based scams, are the go-to methods of attack for scam artists. The ammunition for these attacks is provided by the almost endless stream of data-leak jackpots surfacing on the dark web that include customer and employee information. Which occurs because organization do not protect the information that they have been entrusted with by their customers. 

The knock-on-effect on consumer confidence has been damaging. Repeated high-profile data breaches have lead more and more consumers to provide incorrect information online. Figures from market research agency Verve revealed 60% of consumers intentionally input false information when submitting personal data such as home addresses, phone numbers, email addresses and company names.   

Whilst financial fraud is often the chief concern behind the choice to falsify information online, it is far from the worst outcome that can result from stolen data. In 2002 an unprecedented police investigation saw the arrest of 3,700 men linked with purchasing child pornography from US-based website ‘landslide’. Despite being heralded as one of the UK’s most successful computer crime investigations, there are a number of cases where supposed perpetrators were wrongly convicted as a result of falling victim to credit card fraud. At least one man successfully sued the police and cleared his name but that was not before the effects of the investigation caused the collapse of his business and family life.   

Such cases have led to significant mistrust around offering personal details to companies and has meant that individuals see falsifying personal information as their right to protect their privacy. However, it also means businesses are using invalid data for everything from marketing and sales campaigns to hiring potential employees. The GDPR will force companies to act on data security, putting in place processes and technology that prevents data breaches and data-theft oriented cyber-attacks and this in turn, albeit slowly, will see consumer confidence in business’ online security increase. Compliance with GDPR can be seen as competitive advantage, or perhaps non-compliance should be seen as disadvantage; as an individual, would you prefer to do business with a compliant company or one that isn’t? Likewise, as a company would you prefer a supplier, who has a good compliance programme, or one that doesn’t, bearing in mind that the new regulation has shared responsibility requirements. 

If self-regulation and pragmatism had worked, we wouldn’t see the stories on the front page of the news and the EU wouldn’t have introduced GDPR. As it is, they needed to, to protect its citizens. So whilst the GDPR will in many cases require significant changes throughout organisations, the regulation will ultimately ensure greater protection of individual rights, provide organisations with more relevant and valuable data and make it both easier and more cost efficient to navigate the increasingly complex world of data security. 

Dr Guy Bunker, Senior Vice President of Products, Clearswift 

Image Credit: Wright Studio / Shutterstock

Dr Guy Bunker
Guy is the SVP of Products for cyber security company Clearswift. He is an internationally renowned security expert with over 20 years’ experience in information security and IT management.