For better or for worse, we’re now in a position where every individual, regardless of technical savvy, is more aware than ever about their right to digital privacy and the level of control they have over their personally identifiable information (PII). As more and more businesses are now looking to cover their backs and demonstrate varying degrees of compliance to their users, this new era of data privacy awareness could be more than many businesses bargained for.
The low hanging fruit
Receiving consent from EU individuals as to how you, as a business, use and safeguard their personal data is one of the cornerstones of GDPR. The ICO in the UK emphasises the importance of checking existing consents and consent practices, as well as reacquiring consent, when necessary, under GDPR. We saw the culmination of this as businesses scrambled to send out email blasts to their entire contact lists in the final days and hours before the deadline.
What this boils down to is many businesses addressing individual consent emails as the low hanging fruit, as some form of damage control for when it comes to proving compliance down the line. Cries of “We sent out an email, we made it perfectly clear!” come to mind. Unfortunately this has actually created another level of risk for businesses, and GDPR is all about the reduction of risk!
Cue the era of the Subject Access Request (SAR). It’s now easier than ever for individuals to request a rundown of every item of PII that a company holds, and at the same time harder than ever for the business to provide this due to the scope of the definition of PII under GDPR. Businesses are required to identify, collect, collate, and deliver this information within a 30-day period or be in breach of GDPR – it’s clear to see therefore how an influx of these requests could cripple a business’s resources.
Is GDPR the new PPI?
Individual claims are just the start. Even in the first hours of the 25th May, the news was rife with stories of privacy campaigners filing lawsuits against the biggest tech giants such as Facebook and Google for alleged noncompliance, and grassroots privacy movements are already springing up to fight for EU citizen’s data rights.
It’s easy to see the similarities with the boom in the Payment Protection Insurance (PPI) ‘no win, no fee’ claims market, in which scores of companies sprung up to file claims against non-compliant companies.
Wherever there is an opportunity to fight for the rights of the individual, and get a kickback in the process, an industry of ‘ambulance chasers’ is likely to appear and capitalise on it. Leading insurance commentators have already warned the industry of this risk, and a trend on the same scale as the PPI claims boom could turn the trickle of SAR’s into a tsunami.
How to get GDPR right
The first piece of advice is not to panic. Despite the increase in data privacy fines, the sky hasn’t fallen in since May 25, and panicking is the reason that many companies are in a mess with GDPR. However, the reality of the situation is becoming ever clearer as recent reports have shown that many businesses are already struggling under the weight of privacy inquiries and SARs. Hotel operator Marriott for example has already asked for extensions to the one-month response period.
If they haven’t already, businesses must be implementing clear and solid processes now in order to ensure compliance to the best of their ability and ensure they’re on the right foot should a GDPR challenge rear its head.
One thing is for sure – working with the ICO and other regulators will be imperative. Anyone following the media in recent weeks will have noticed an uptick in ICO fines for pre-GDPR data breaches, such as those affecting the University of Greenwich, Gloucestershire Police, and The Bible Society.
The ICO appreciates that data breaches from cyber attacks are a criminal act, but what they won’t accept is if organisations do not demonstrate adequate security measures in conjunction with a higher degree of care given to the protection of the data they hold. This is the primary cause of fines. The ICO is here to translate GDPR for British businesses, so showing a level of transparency and communication with them from the start will help to turn the regulator from the ‘big bad wolf’ to a white knight in the event that the worst happens.
The second step is clear. Businesses must gain an uncompromised level of visibility over where the personal data they have is stored, who has access to it, and that it is as protected as can be from malicious activity.
British businesses must realise that GDPR compliance is an ongoing process. Whether businesses like it or not, they must make a fundamental shift in the way they treat the personal data of EU citizens. If data privacy is baked into every business process, organisations can feel confident that they can withstand the ‘huff and puff’ of the big bad wolf and emerge their head held high in this new era of data privacy awareness.
Colin Truran, principal technology strategist, Quest
Image source: Shutterstock/Wright Studio