Skip to main content

Why GDPR damage control has done more harm than good

(Image credit: Image source: Shutterstock/Wright Studio)

Whilst those of us in technology industry have been discussing GDPR ad infinitum, espousing the benefits of having defined compliance processes in place, in the last few weeks of May the gravity of the situation became impossible to ignore. A tidal wave of privacy policy update emails hit the inbox of practically every member of the EU public, prompting varying degrees of confusion, frustration, and mockery in the media.

For better or for worse, we’re now in a position where every individual, regardless of technical savvy, is more aware than ever about their right to digital privacy and the level of control they have over their personally identifiable information (PII). As more and more businesses are now looking to cover their backs and demonstrate varying degrees of compliance to their users, this new era of data privacy awareness could be more than many businesses bargained for.

The low hanging fruit

Receiving consent from EU individuals as to how you, as a business, use and safeguard their personal data is one of the cornerstones of GDPR. The ICO in the UK emphasises the importance of checking existing consents and consent practices, as well as reacquiring consent, when necessary, under GDPR. We saw the culmination of this as businesses scrambled to send out email blasts to their entire contact lists in the final days and hours before the deadline.

What this boils down to is many businesses addressing individual consent emails as the low hanging fruit, as some form of damage control for when it comes to proving compliance down the line. Cries of “We sent out an email, we made it perfectly clear!” come to mind. Unfortunately this has actually created another level of risk for businesses, and GDPR is all about the reduction of risk!

If ‘Person X’ receives an email from ‘Company Y’ about its new privacy policy and consent practice, yet Person X can’t remember ever using Company Y’s services or products, they understandably begin to wonder why that company has their details, how long it has had them for, and indeed what other personal data the company holds.

Cue the era of the Subject Access Request (SAR). It’s now easier than ever for individuals to request a rundown of every item of PII that a company holds, and at the same time harder than ever for the business to provide this due to the scope of the definition of PII under GDPR. Businesses are required to identify, collect, collate, and deliver this information within a 30-day period or be in breach of GDPR – it’s clear to see therefore how an influx of these requests could cripple a business’s resources.

Is GDPR the new PPI?

Individual claims are just the start. Even in the first hours of the 25th May, the news was rife with stories of privacy campaigners filing lawsuits against the biggest tech giants such as Facebook and Google for alleged noncompliance, and grassroots privacy movements are already springing up to fight for EU citizen’s data rights.

It’s easy to see the similarities with the boom in the Payment Protection Insurance (PPI) ‘no win, no fee’ claims market, in which scores of companies sprung up to file claims against non-compliant companies.

Wherever there is an opportunity to fight for the rights of the individual, and get a kickback in the process, an industry of ‘ambulance chasers’ is likely to appear and capitalise on it. Leading insurance commentators have already warned the industry of this risk, and a trend on the same scale as the PPI claims boom could turn the trickle of SAR’s into a tsunami.

The businesses who put all their eggs in one basket, sent out a privacy policy notice, and crossed their fingers, will be the ones in real trouble. Without GDPR-compliant data processes extending throughout every business operation, delivering on SARs becomes exponentially more difficult. The consequences from failing to deliver on these kinds of requests would be twofold. On one hand an investigation by the ICO and perhaps a non-compliance fine could be disastrous, but add to this the possibility of civil lawsuits from individuals and you have a scenario which could spell the end for some.

How to get GDPR right

The first piece of advice is not to panic. Despite the increase in data privacy fines, the sky hasn’t fallen in since May 25, and panicking is the reason that many companies are in a mess with GDPR. However, the reality of the situation is becoming ever clearer as recent reports have shown that many businesses are already struggling under the weight of privacy inquiries and SARs. Hotel operator Marriott for example has already asked for extensions to the one-month response period.

If they haven’t already, businesses must be implementing clear and solid processes now in order to ensure compliance to the best of their ability and ensure they’re on the right foot should a GDPR challenge rear its head.

One thing is for sure – working with the ICO and other regulators will be imperative. Anyone following the media in recent weeks will have noticed an uptick in ICO fines for pre-GDPR data breaches, such as those affecting the University of Greenwich, Gloucestershire Police, and The Bible Society.

The ICO appreciates that data breaches from cyber attacks are a criminal act, but what they won’t accept is if organisations do not demonstrate adequate security measures in conjunction with a higher degree of care given to the protection of the data they hold. This is the primary cause of fines. The ICO is here to translate GDPR for British businesses, so showing a level of transparency and communication with them from the start will help to turn the regulator from the ‘big bad wolf’ to a white knight in the event that the worst happens.

The second step is clear. Businesses must gain an uncompromised level of visibility over where the personal data they have is stored, who has access to it, and that it is as protected as can be from malicious activity.

British businesses must realise that GDPR compliance is an ongoing process. Whether businesses like it or not, they must make a fundamental shift in the way they treat the personal data of EU citizens. If data privacy is baked into every business process, organisations can feel confident that they can withstand the ‘huff and puff’ of the big bad wolf and emerge their head held high in this new era of data privacy awareness.

Colin Truran, principal technology strategist, Quest
Image source: Shutterstock/Wright Studio

Colin Truran
Colin Truran is a principal technology strategist at Quest who functions as the EMEA virtual chief technology officer. His areas of expertise include IT strategy, pre-sales consultancy, professional services, solution architecture, cloud, SaaS, programming and GDPR strategy.