GDPR is a new regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states… and non-compliance is already costing some companies dearly
When the EU’s General Data Protection Regulation (GDPR) came into effect in May 2018, the noise was overwhelming. Almost every email subject line had “GDPR” in it, we received a thousand panicked messages reminding us to resubscribe and businesses fell over themselves to achieve compliance –or at least look like they were trying. But three months on, what has been learned?
The FT reports that some companies simply suspended their European services to avoid falling foul of GDPR. These include newspapers LA Times and Chicago Tribune and apps such as Unroll.Me (which helps users to unsubscribe from spam emails).
In June, Ticketmaster announced a data breach affecting up to 40,000 of its customers. The company identified malicious software on one of its customer support products hosted by an external third-party supplier. When the breach was announced, data protection lawyers expressed surprise that Ticketmaster had apparently known about the breach since April but failed to report it. An Information Commissioner’s Office (ICO) investigation is now underway and it’s not yet known who will be made to pay for the error. What is clear is that if it isn’t Ticketmaster’s fault directly, not enough checks took place on its subcontractors.
Meanwhile Facebook was fined £500,000, the maximum amount possible, for its part in the Cambridge Analytica scandal. The fine relates to two breaches of the Data Protection Act but, thanks to the timing of those breaches, the fine did not reach the millions it could have under GDPR.
Since GDPR came into effect, the ICO has reported a sharp rise in data protection complaints. Moreover, according to a report from data company Exonar, GDPR data requests could cost the public sector £30m, especially as organisations are no longer able to charge a fee for the requests. The report suggests that 30m requests are expected in 2018, costing the NHS £20.6m alone.
One of the main issues has been in companies that didn’t have a proactive data protection culture in place. “For many global companies this was already on their agenda,” says Emma O’Connor, head of training at law firm Boyes Turner, “but there have been a few issues arising for smaller SMEs who had a less collaborative approach.”
Myths abounded. Some companies believed that GDPR didn’t apply to them because they didn’t have a website or hold any customer information. Says O’Connor: “Some thought they just had to delete all data.” It seemed across the board that people didn’t know where to start. “There were a lot of ownership issues – was data an IT issue, a privacy issue, an HR issue?” she adds.
However, this isn’t only the fault of the organisations themselves. Though it’s accepted that the information from the ICO was clear and informative, we’re still waiting for a lot of guidance to come through with regards to subject access requests, for example.
O’Connor believes that GDPR should have always been a project where HR could take the lead. “Employees, candidates and contract workers were already used to the fact that data had to be shared with their employer,” she says. “They had a background in processes.” Indeed, Boyes Turner ran introductory training courses for HR and business managers and provided GDPR guidance notes.
One of the problems was, says O’Connor, that in the run-up to May, GDPR was on the tip of everyone’s tongue and then once the deadline arrived, it was on to the next thing. “It’s up to internal processes to keep data and training at the forefront.”
Despite many businesses having used the time to prepare well, many others have done so poorly, putting themselves at risk of having to make redundancies or even entering formal insolvency. Surprisingly, says Chris Horner, a licensed insolvency practitioner at Business Rescue Expert, is not through enormous GDPR fines but through contact permissions. Horner says a high number of businesses overlooked the “legitimate interest principle” and sent eshots to their clients requesting consent to continue sending marketing information to them. This, he says, “overlooks the fact they would likely qualify for legitimate interest if they were previous customers or they already signed up to the mailing list.”
Saj Devshi, who runs educational start-up Learndojo, says: “One of the main lessons we’ve learned is exactly how complicated and a practical nightmare GDPR is to implement.” For example, “We need to collect data from visitors on our website to improve and offer services that may be relevant and in their interest, but this becomes difficult when we’re having to gain consent even to browse our website or leave a comment.” Moreover, “If visitors then opt not to allow us to collect cookies or data we then have anonymous users we know little about, where they are from or what they are looking for.” This, says Devshi, “makes it incredibly difficult to improve our services and offer them to people that may be interested.”
There is a flipside to this, says Devshi. “Users are served adverts for things they are not interested in because we don’t know their profile and so users are just served irrelevant adverts because they have denied access to cookies.” He adds: “We’re beginning to see that this actually makes the browsing experience worse.”
The training time and costs involved in appointing data specialists are proving prohibitive for some small companies. Devshi agrees: “Not all businesses can afford high-end security and the lesson we’ve learnt is that it puts us in really risky territory now and open to potential legal problems, something we’re much more aware of now.”
Andrew Gibson, e-commerce manager at Bluespark Automotive, says: “What is galling is that the regulations only affect those who were attempting to be legally compliant in the first place. The internet, and communications in the broader sense are borderless. Anyone looking to use shadily purchased mail lists, or cold-call customers internationally using a London-based VOIP service can still operate with relative impunity.”
However, for at Time and Tide stores it was a chance for change. Jasmyn Hunter, ecommerce and marketing manager, says: “We personally saw it as an opportunity to rebuild and refocus. We very much reviewed our current marketing activities and strategy and looked to rebuild our database from the ground up.
“In any organisation, you wish to identify your customer and with our rapid growth we have to make sure we are building quality relationships with individuals who wish to hear from us but also trust that we are storing information in a safe and legal manner.”
We are seeing a slow culture and mindset change. This will will take time and it’s a real opportunity for organisations to take the lead. Says O’Connor: “Everyone has to appreciate there is real value in data. It’s a mindset for us as individuals as well as organisations to not treat data protection as a mechanical process.”
It might still be too early to tell just how big an impact GDPR will have on business as it seems many are still ironing out the complexities. One thing is sure, however: it’s not going to go away any time soon.