General Data Protection Regulation (GDPR) is coming in to effect in 2018, but various polls targeting smaller businesses in the UK reveal a knowledge gap and uncertainty over how to prepare.
According to recent NetApp research of 750 IT decision makers across EMEA, 9 per cent don’t know what GDPR is, and three in four have concerns about the May 2018 deadline. A study released today by Veritas Technologies echoes this sense of confusion on a global scale. 86 per cent of organisations worldwide are concerned that a failure to adhere to the upcoming General Data Protection Regulation (GDPR) could have a major negative impact on their business –including one in five polled who fear that non-compliance could put them out of business.
This is in the face of potential fines for non-compliance as high as €20 million or four per cent of annual turnover – whichever is greater.
“The UK is no stranger to similar regulations. The Data Protection Act is fairly loose and fairly old,” says Martin Sweeney, CEO of Ravelin, a UK- based fraud detection start-up. “TalkTalk, for example, made the biggest mistake. They were hacked but didn’t tell anyone for a long time. They were fined, but a very small amount. In this new world, GDPR really has teeth in it. A €20 million fine for a start-up means goodbye, start-up,” he adds.
According to Sweeney, GDPR is one of those legal documents that’s filled with ambiguity, which could explain the general confusion from the business community ahead of its enforcement. “GDPR is precise and ambiguous at the same time. It aims to protect consumers. If you read it, it’s full of grandiose, sweeping statements. Regulators see it as their right to defend the public against the misuse of consumer data. It’s an admirable cause but it puts the start-up world in the firing line,” he tells GrowthBusiness.
The main aim of GDPR is to standardise the governance of personal data across European Union (EU) member states, with a focus on where and how personal data—including credit card, banking and health information—is stored and transferred, and how access to it is policed and audited by organisations. GDPR, which takes effect on May 25, 2018, will not only affect companies within the EU, but extend globally, impacting any company that offers goods or services to EU residents, or monitors their behaviour, for example, by tracking their buying habits.
“As a technologist, I know what can done with data so as a consumer, GDPR is great. As a start-up entrepreneur, I’m naturally averse to regulation,” Sweeney adds.
When regulators move, they often wait and see, but in this case, Sweeney believes they’re acting too early. “There’s never been this much insight from business community. Combined with leaks from hacks, and also from government around abuses from NSA. You can draw a direct line between both of those things and GDPR.”
Even with countless leaks and hacks making waves in the mainstream media, Sweeney believes people still won’t change their behaviour overnight. “Few people will draw a link between these incidents and the vulnerability of their data. We live in a world where the services we love are free, but we’re actually paying for them with our data,” he says.
“Look at how Facebook and Google make money. It’s all through advertising. In the 80s and 90s, advertisers mainly only had print and TV as mediums. Targeting demographics was imprecise, vague and hard to measure. With the internet, advertisers can plan campaigns that are more targeted, but the only way they can do that is with consumer consent.”
The way in which this consumer consent is granted will change when GDPR comes in effect. Now, when you access certain sites or download most apps and log in, your personal data is in their database. When you tick that you’d read and accepted the site’s or app’s terms and conditions, you’re either implicitly or explicitly giving consent to their sharing your data to ‘trusted third parties’. This data is the bread and butter of most media and marketing companies, for example.
“But with GDPR, you can’t bundle the two. You’ll have to agree to the terms and conditions, and will be taken to a separate page to give your consent to share data with third parties,” Sweeney explains.
While it’s not mandatory to have someone called specifically titled ‘data protection officer’ on the payroll, it will be mandatory to show proof of customer consent, he adds. “GDPR says that only large scale data processing companies are required to have a data protection officer on board. That’s so ambiguous. What does ‘large scale’ mean? Anyway, the key job of the data protection officer is to enforce change. They will need strong domain knowledge, but more importantly will need to be understanding, and empathetic to help senior management get on board all the changes. They’ll also need to be great at sifting through reams and reams of paperwork.”
As Sweeney explains, the role of the data protection officer will rise in prominence. “Typically these jobs have been pretty dull. It’s usually someone to make sure you’re dotting the Is and crossing the Ts. Now it’s a very senior, very important role,” he adds.
But not all businesses are worried. For Ravelin, GDPR presents unprecedented opportunity for growth. “It’s the same sort of opportunity we’ve been exploiting since day one. We provide better, secure service, and are in an extremely trusted position with all of our client’s customer data. We built the business from the ground up with the best protocols in place, so we definitely see this as a great competitive advantage.”
As a third party data processor, Ravelin manages large amounts of sensitive data so it will definitely be on the receiving end of any changes to data protection regulations. But as a start-up with 35 people on the payroll, the business is agile and easily able to keep up with regulatory changes. we need to put ourselves out there and take that knowledge and technology. we’re seeing rewards. “We built our business with data protection at its heart, and are driven by two principles: do the right thing, and educate customers. My advice to businesses is get ready. Make sure you have the right people bought in at senior levels, and that they understand the implications of the changes on the way.”
If you naively search for ‘GDPR advice’ you will find guides for different sectors, and it’ll all be vague, says Sweeney. “There’ll be advice for transport companies, or agriculture companies. Even if you do find advice that seems right, it’s going to be a generic fit. Ultimately you’ll need to look at your data and have some uncomfortable conversations. It’s going to be a continuing process, so get used to it. Data protection is here to stay.”