On 25th May 2018, data law changed forever.
In its first 18 months across 22 countries, an estimated 30 million companies fell into the scope of the General Data Protection Regulation (GDPR), the enforcement of new rules for businesses regarding data capture, storage and usage.
Despite this, there have only been 785 fines for non-compliance, many of which are being appealed. The questions remain - with less than 800 fines being issued, does this mean people are taking it seriously and are fully compliant, or does more need to be done in terms of enforcing the rules?
In our new whitepaper, we're going to ask the big questions: just how much difference has GDPR actually made? Has it resulted in a change in how businesses treat personal data? And do most consumers even know - or really care - about where their personal data gets used?
This article forms the first part of an upcoming whitepaper, the result of a recent virtual roundtable event by The Bridge Analytics featuring experts in the data field: Craig Stirk, Chris Proctor, Jon Haigh, Barry Smith, Karen Ford, Mark Pybus, Andy Crossley and Ed Wynn.
Facebook alone has tracts of data about every individual who signs up and uses this to build complex behavioural profiles allied with other companies to target users with advertising and even political messaging. Yet most people remain unaware of this, and despite the endless ‘privacy notices’ that remain broadly unread by everyone, it’s only a newsworthy event like the infamous Cambridge Analytica scandal that alerts the general public to just how much of their personal information is being exploited.
In a bid to strengthen the rights of individuals and both unify and update data collection and privacy laws (some of which were over 20 years old) GDPR (General Data Protection Regulation) was rolled out across the EU in May 2018. It aimed to alter how businesses can handle personal data collection, storage and usage, with the threat of heavy fines to those found to be non-compliant. Every global company who collects data from any EU country falls under the rules.
Broadly, GDPR sets down the rules of what companies can do with personal data, following the seven key tenets of; lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity & confidentiality (security) and accountability. It forced organisations to get their houses in order when it came to the personal data they had stored - accounting for what they had and importantly asking the question of the individual whose data it is whether they have permission to retain and use it, under the new guidelines.
For most members of the public, this would have been best exemplified by a period of time where companies to whom they were subscribed or had given personal data were getting in touch to ask whether they were allowed to retain this information. For organisations, this presented a sizeable task to ensure data for which they didn’t have the relevant permissions was deleted and the new permissions set.
A Change in Data Consciousness for Businesses
Like it or not, businesses have had to change the way they deal with customer data in recent years, both due to an overwhelming influx of new information and because of the changes in legislation.
"A key thing for me is the significant lift in awareness and consciousness in businesses and the consumer community. What I’ve noticed working in the data protection arena in both B2C and B2B is a significant upshift in a segment of the consumer community and certainly significantly in B2B. So individual organisations aren’t 100% compliant, if you could even define that, but they’ve upshifted significantly and they’re very conscious of the need to be so and they are effectively ensuring that each other improve."
Under the terms of the GDPR, there are two main levels of fine that can be imposed based on the severity of the breach. The less severe ones could lead to a fine of up to €10 million, or 2% of the company’s annual worldwide revenue from the previous year, whichever is higher. This covers anything from not adhering to the rules of governing data protection, lawful basis for processing and more.
The second level of fine is for more serious infringements that go against the very principles of the right to privacy and the right to be forgotten. These types of infringements could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. This also encompasses the transfer of data to an international organization.
The highest fine so far imposed has been on British Airways in July 2019. The fine was for €204.6 million and based on insufficient technical or organizational measures to ensure information security. Swedish clothing retailer H&M became the first company in Germany to receive a fine in October 2020, totalling €35.3million.
But are the threats of fines doing enough? And are organisations like the ICO doing enough to investigate possible breaches?
I still see that there’s a big gap between industries and certain companies within those industries. There have been some industries which have truly winged it and have waited to see if there was actually going to be any real changes or whether or not they thought they were going to be able to live with the risk - large organisations who we all deal with day to day, too. That’s been a bit of an eye-opener.
What I’ve seen is that it’s acted as a trigger to make businesses think more broadly about their data full stop. So you can’t use it in the way that you used to, but how can you use it to provide analysis on your customers or processes or whatever it might be. There’s been a number of our clients that I’ll say very cleverly have used it as both a carrot and a stick to go up the chain and make the board take notice in terms of how they need to do things differently with their data. if. I’ve seen multiple quite powerful data governance programmes get kick started by using GDPR. I’m less involved in the minutia of GDPR work – data strategy and data governance is more my bag but it’s been a great accelerator for some of those programmes.
What we have noticed is depending on the sector the drivers for businesses might well differ and it’s not always the risk of a fine. I think the driver is reputational damage regardless of the potential for a fine. I’ve just left a business in financial services, a B2B business. In financial services, if you’re seen to be wholly inadequate in the data protection arena when you’re dealing with ultimately some very wealthy individuals investing huge amounts of their cash in ways they don’t always want to be visible, the reputation damage can be enormous. What I did notice during that period is that first even thought this was the middle of 2019 we were getting very little interest from our clients. Roll to the end of the 2019, lots and lots more enquiries coming in from client businesses. The clients clearly had their own houses in order, so what do you do next? You look at your suppliers.
People that have seen GDPR as a compliance activity - are they going to do the bare minimum, or are they even going to get to a point of real compliance. But organisations that do better in the long term are going to be the ones who do privacy by design and use it as a means of sorting out data and a data strategy more broadly. Conversely, in highly regulated environments most businesses know that they’re not 100% compliant with all the things the regulators demand and they just live with the risk. So, this has got to become more than a compliance and risk thing. It’s got to be much more strategic if we really want to see it enshrined in the way it was originally meant to be.
A lot of the senior stakeholders not having that maturity to understand that actually not just the consequences financially but as Chris puts it reputationally, but it’s the foundations of how your organisation is actually run and governed. If they don’t have that corporate conscience around how they capture and exploit the data, what are they also doing from a general corporate capability? I think it’s bringing out a lot of organisations that have been in a cash cow situation and are now having to look at how they’re actually operating. “Do we have the relevant controls that we should have in place – not just risk-based approach?”
I think it’s a bit like having a decent business and process architecture, if you built that stuff when you were building your business then you intrinsically understand & appreciate the value of that; whereas so many businesses have been built organically over the years, often with bits bolted on all over the place and trying to retrofit & maintain a business & process architecture becomes so complex and the value is less clear and less well understood. Data is similar, as data professionals, we would all understand the value of a data or GDPR roadmap but if you’re a chief executive of a business that’s run successfully for the past 20 years and you’ve never had one then you have a job on your hands convincing them that it’s worth the time and effort building this thing. In that situation you often end up with a data roadmap being something that people have to build out as part of future change projects, building bits of it at a time. Ultimately this delays things and compromises the value but sometimes it’s the only way forwards.
There are IT directors who have been wary of creating a roadmap. Whether that’s going to bring out and highlight their lack of control across that infrastructure.