Impending GDPR rules mean that organisations will have to radically overhaul their data management efforts – but not enough leaders are facing up to this huge responsibility
As if European companies weren’t facing enough of a storm right now with the urgent need to prepare for Brexit, another thunderhead looming on the horizon requires even earlier attention. Any widespread failure to apply the necessary strategic insight to this problem could cost a huge amount of businesses the very reputations upon which they trade. I am talking here about Europe’s General Data Protection Regulation (GDPR), which comes into force on 25 May next year – and for which the majority of organisations, according to several pieces of research, remain sorely under-prepared.
To picture what the GDPR is, and what it means, think of the UK’s existing Data Protection Act (DPA), but with the relevant obligations expanded by several orders of magnitude. For many organisations, the most mission-critical influence that the GDPR is likely to have on their work is by requiring them to be significantly more proactive in their handling of customer data. So, leaders: you must dispel any notion that this is going to be just another, dry compliance procedure that you can implement, and then leave to its own devices while you focus on matters that you consider more interesting.
There is a high likelihood that the GDPR will put an enormous amount of downward pressure on the relationships you have with your customers. If you don’t want that pressure to turn into a full-blown strain, then you’d better size up the scale of your obligations relative to the size of your business, and do everything in your power to meet your compliance goals ahead of that impending deadline.
For those who don’t yet have a concrete sense of the GDPR’s provisions, look no further than this brilliant and highly informative breakdown of the legislation, courtesy of the Information Commissioner’s Office (ICO). In effect, the GDPR greatly enhances the rights that individuals enjoy with respect to details about them that are in organisations’ hands.
The main point of the GDRP is that it will eventually underpin a whole, new compliance regime for data security and the use of personal information – with that framework set to affect not just European firms, but any companies outside the region that hold data on EU citizens, too. It’s a big undertaking – with stringent penalties to match. Under the new rules, the EU will levy fines against firms that have suffered data breaches at a level of either €20 million or 4% of turnover – whichever’s largest.
But underneath that headline aim to more strictly police companies’ data protection efforts, the GDPR will also grant EU citizens a series of line-item rights on personal information, which they will be able to exercise at any time – such as the ability to either…
- rectify, or
…the material in question. In addition to that, organisations will be required to properly ask customers for their informed consent to utilise and process personal details – marking a departure from the current system, in which agreement is implied and citizens are left to request hard opt-outs. The GDPR era will be all about hard opt-ins instead: precisely the reverse of the current regime. Organisations will also have to re-examine the data under their roofs and determine how much of it counts as ‘personal’ under the GDPR’s provisions.
In practical terms, that points to a substantial increase. As the ICO notes: “Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg, an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.”
All in all, this constitutes a massive amount for organisations to get their heads around. And are they busily doing just that, in order to absorb the facts as quickly as possible and put them into strategic action? Well, in a word – no.
Indeed, the levels of preparedness (or lack thereof) that are emerging from survey after survey are lamentable, comprising a real ‘facepalm’ moment for organisations of every type. There are vanishingly few hints of action – but considerable evidence of procrastination, tailspin and worry. For example:
- According to Jersey-based business software provider Calligo, 93% of companies are anxious about storing their data in the cloud in the post-GDPR era, with 91% concerned about how the rules will affect cloud services as a model. Only 14% of the 500 IT decision makers that the firm spoke to said that concerns about meeting their GDPR compliance obligations are at the forefront of their minds.
- A major audit of UK corporate databanks conducted by W8Data concluded that the GDPR could render 75% of companies’ marketing data obsolete, thanks to how that information is currently structured and permissioned. As W8Data director Dave Lee said: “It’s unsurprising that repermissioning campaigns are rocketing as marketers are waking up to the realisation that much of their data will be useless come May 2018. The fact that two-thirds of organisations are currently failing to regularly review their data speaks volumes. Under GDPR, that is going to have to change.”
- In a survey of 132 compliance officers around the world, the US-based Compliance, Governance and Oversight Council learned that only 6% of firms feel that they are ready for the GDPR. The research found that organisational size was not a factor: small and supposedly more nimble companies are every bit as much like rabbits in the headlights as their larger, corporate counterparts.
- A similar overview of 200 EU firms by cloud security gurus Alert Logic found that just 5% of them were compliant with all relevant obligations in advance of the enforcement date. While 77% of firms in the study were familiar with the GDPR as a concept, only 27% thought that they’d have their internal policies lined up for it by 25 May next year.
All of which will just not do.
An even more alarming take on these matters has emerged from PwC’s global lead of cybersecurity and data protection services, Stewart Room, who said in a recent speech that a lot of organisations who are trying to achieve GDPR compliance are going about it the wrong way. In his assessment, those companies are focusing on data-mapping exercises that may prove to be completely redundant, when what they should really be doing is making sure they’ve got the correct technology in place. Room pointed out: “When the GDPR was first published in 2012, the lawmakers assumed that the gap that we needed to travel in order to make our organisations fit for purpose might be somewhere between a two- to four-year journey, but the fact that so many are still busy with data-mapping exercises tells us that the gap is substantially greater.”
Clearly, there’s too much at stake here for organisations to fall behind any further than they already have. It is essential for business chiefs to provide as much leadership on GDPR compliance as they normally would on areas such as commercial strategy or staff development – for if there’s no business, then there’s no strategy… and no staff. Don’t hide GDPR away in the backroom – seek out every shred of expertise you need to get your organisation in the right shape for it, and engage your entire talent pool in the effort.
Image of shadowy hacker courtesy of NeONBRAND, via Unsplash