May 2018 will herald the hard enforcement of GDPR, with tougher punishments for data security failings. But how are companies preparing and what are the potential rewards for staying on the right side of these new regulations?
In an age where new industry-wide acronyms emerge with increasing frequency, GDPR may feel like yet another four letters with delusions of grandeur. However, disregard the General Data Protection Regulation – to give its full name – at your peril.
The advent of a culture where everything is online, all the time, has elevated the issue of cyber security – and especially data protection – to new heights, and the way organisations store and use customer data is now rightly coming under more scrutiny than ever before.
GDPR is a set of new rules that aim to address how data is collected, stored and used, with tougher financial penalties for companies who fall short of their obligations.
Although the new regulation essentially standardises data protection rules throughout the European Union (EU), it effectively has a global influence and any servers with details of EU-based customers will be subject to the same rules, regardless of where the organisation or its servers are located.
Those already aware of GDPR may also know that the regulations have been in force since May 2016. However, it was introduced with a two-year grace period, giving companies time to prepare and comply ahead of the hard enforcement date of 25 May 2018.
Complying is very much in these companies’ interest too – a company could be fined up to €20 million (£16.8 million) or four per cent of its global turnover, whichever is greater, for failing in its data protection duties. That’s considerably more than the £500,000 maximum fine currently issued for serious data breaches under the Data Protection Act.
Why do we need GDPR?
To provide some geographical context – in the UK, GDPR will replace the Data Protection Act 1998, which was enacted before current methods of data exploitation became available.
As the accompanying date would suggest, that act was drafted when the internet was still in its infancy. Consequently, the people behind the act couldn’t have predicted how companies and organisations would acquire and use data on its users almost two decades later.
Fast forward to 2017 and the EU is keen to give people more control over how their personal data is used and a reinforced right to privacy when using online services like Facebook, Google, Microsoft and WhatsApp.
GDPR means that companies will no longer be able to gather whatever information they want without a valid reason, as is currently the case; a development designed to improve trust in the emerging digital economy.
It is hoped that significantly tougher fines will encourage companies to tighten cyber security and better protect customer details.
Meanwhile, the Information Commissioner’s Office (ICO) has recommended doing away with pre-ticked opt-in boxes, instead urging organisations to adopt an ‘active opt-in’ approach that lets individuals withdraw consent at any time.
The guidance published in March recommends that organisations which process data evaluate their consent mechanisms to make them more ‘specific, granular, clear, prominent, opt-in, documented and easily withdrawn’.
Preparations and denial
Despite the stinging penalties associated with non-compliance, many organisations are either unaware of GDPR or not preparing sufficiently for it, according to research from software company Veritas.
Globally, organisations in Singapore are some of the least prepared in the world with more than half (56 per cent) admitting they’re concerned they won’t be able to comply with GDPR in time.
Compared to other nations, US-based organisations are better set up for GDPR with fewer (37 per cent) saying they are currently unprepared.
Separate research from cyber security software provider Imperva in April found that just over half (51 per cent) of the 170 cyber security professionals surveyed in the US believed that GDPR would impact their companies. Worryingly, close to a third did not expect GDPR to have an impact and five per cent were not familiar with GDPR.
Despite 51 per cent being aware of GDPR, just 43 per cent of respondents said they were assessing the regulations’ potential impact and adapting practices to comply with data protection legislation.
The truth is GDPR applies to all businesses, regardless of size and sector, and playing ignorant will only have a painful conclusion for the organisation’s bottom line.
GDPR is particularly relevant for accountancy firms, who hold some of the most sensitive data around; information that has the potential to reveal a company’s productivity and marketing strategy, revenue, profit forecasts - data that could destroy a company if maliciously or carelessly handled.
Subsequently, accountants are even more duty-bound to not only store and manage data safely, but also have robust cyber security measures in place with all staff suitably trained. Rather than attack myriad security defences, hackers are more likely to exploit the human element by targeting less tech-savvy accountants with phishing emails.
Despite widespread use, email is notoriously insecure. Messages, which aren’t always encrypted, can be intercepted in transit. Businesses also need to be wary of the vulnerability of metadata – data about data that can give away more than users realise – and businesses should dial out while participating in conference calls, to avoid professional phishers who could gather information for blackmail or a competitive edge.
What about Brexit?
The result of Britain’s in/out EU referendum, and the triggering of Article 50 in March, means that the UK may have started saying its goodbyes to the EU by GDPR’s hard enforcement date in May 2018. However, it will still be very much part of the EU when this happens will have to comply for at least a few months.
Regardless of the status of Britain’s EU membership, the global nature of GDPR means that compliance will still be mandatory for British firms that handle data of EU citizens.
Additionally, the UK government intends to fully implement GDPR regardless of its EU membership, to ensure the flow of data between the UK and the EU isn’t disrupted once the Brexit process is complete.
In light of this, the ICO has urged UK organisations to continue with preparations for GDPR in the interest of public trust and to assure users they intend to safeguard personal data.
The ICO fears that some companies have ‘taken their foot off the gas’ since the Brexit vote, but the public body is committed to building ‘a culture of data confidence in the UK’ and would rather data protection was viewed as ‘a cornerstone of the digital economy’ than as yet more red tape.
To kill off the suggestion that Brexit means companies can get out of GDPR preparations, the ICO intends to introduce something similar to GDPR post-Brexit, with the suggestion that fines for data breaches could be even tougher outside of the EU.
Away from Europe, GDPR’s border-transcending nature means that in the Asia Pacific, for example, the message is the same – be prepared and set aside at least a year to assess and implement changes.
Consequences and opportunities
Much was made of the hacking of telecommunications company TalkTalk in 2015 when a teenage hacker obtained bank account details for more than 15,000 customers, as well as personal details for 156,000 more.
The company was fined £400,000 in 2016 for these security failings but, if GDPR had been in place, that fine would have spiralled to £59 million – a 147-fold increase.
Similarly, Pharmacy2U’s fine of £130,000 in 2015 for selling details of more than 20,000 customers, advertised at £130 per 1,000 records, would have grown to £4.4 million – almost 34 times more, and potentially enough to put the company out of business.
These companies will almost certainly be counting themselves lucky, and the business world is sure to pity the first organisation to be punished for GDPR failings post-May 2018.
While the scale of these penalties suggest that GDPR exists as a burden with the promise of intimidating punishment for those that fall short, the regulation can present organisations with opportunities for improvement and growth.
Firms that make the effort to understand and appreciate the kind of information they have and make sure it’s secure can get closer to partners and customers, fostering trust and growing business on the back of better information governance and security.
By demonstrating it respects personal data of its users, a company can stimulate customer confidence, which can ultimately lead to greater sales.
Additionally, as GDPR demands a review of data handling, a business can use GDPR to get its house in order and make its everyday operations more efficient.
To recap, the headline-grabbing fines can make GDPR out to be ‘all stick, no carrot’, but the rewards of staying on the right side of the rules can be just as beneficial as the punishments harsh.