Should Businesses Really Fear GDPR?

GDPR. Four letters that strike fear into the hearts of those in the Boardroom. The General Data Protection Regulation, which comes into force on 25th May 2018, is a step-change in data protection, giving people far more control over their information as well as forcing businesses, public bodies and charities to take more care of that data.

Read the headlines – and the press releases of a variety of cyber security companies – and it’s going to be ‘Data Armageddon’ come the summer next year. You’ll only have 72 hours to report a data breach to the Information Commissioner’s Office (ICO). You’ll be swamped with requests from individuals to delete their data. Any security breach could lead to a fine of up to €20 million or 4% of global revenue. One small slip up, and you’ll be out of business.

Some companies have already taken drastic action. Following a serious security breach in June 2015, when more than 650,000 emails and some staff details were stolen, it is perhaps understandable that pub chain JD Weatherspoons has decided to delete its entire customer email database and subsequently minimise the amount of personal data it collects, stores and manages. Weatherspoons will instead direct customers to its website, where all their special offers can be found. It’s an interesting move – one, perhaps, that demonstrates that the company is not confident that it can prove it has clear consent to hold that data. Is the mantra that ‘data is the new oil’ no longer true in the light of GDPR?

Let’s take a step back.

Given the potential scale of the fines, it’s reasonable to question whether collecting personal data on your customers and clients is delivering sufficient value and is worth the hassle. But is the risk of a fine being overstated, especially by an industry that stands to benefit from the fear, uncertainty and doubt GDPR is bringing?

The Information Commissioner herself thinks so. Elizabeth Denham recently explained that the ICO will continue to use their powers both proportionately and judiciously, that fines will continue to be seen as a last resort option, and that they prefer the carrot to the stick. Indeed, in 2016/17 the ICO investigated 17,300 cases – just 16 of those resulted in a fine. In all the years the ICO has existed, it has never once invoked the maximum powers it is entitled to use.

The ICO is a public sector body. They’re not in the business of putting other people out of business.

So you should view GDPR as a positive rather than a negative. Yes, you need to keep the consequences of failure in mind, but it’s more important to view the legislation as an opportunity to get your data in order. This will not only benefit your customers, but also help you operate more efficiently.

So what about the customer data quandary? Will people prefer you to keep very little data on them, or do they expect you to know them intimately so you can provide a tailored service?

Of course, it goes without saying that they want you to keep their data secure. Increasingly, however, they expect you to know everything about them to make their interactions with you smoother. Nowadays no-one wants to enter their personal details over and over again when they’re looking for car insurance – they expect you to have remembered those details from the last time they priced a policy with you, regardless of whether they eventually bought your product or not. Consumers are increasingly willing to provide their personal data to benefit from enhanced services – they just demand that you to keep it secure.

The expectations of the ‘Always-On Consumer’ has already meant that businesses are gearing up for the new economics of multi-channel ecommerce. This new breed of consumer wants to be recognised, wants to have a voice, wants to be treated as an individual – and also wants the experience to be easy.

To do this effectively, businesses need to collect and manage even greater amounts of data, harness it to draw meaningful insights that help them get closer to their customer, and then personalise the experience. It’s no longer about an email marketing campaign, it’s about having a continual, on-going conversation with the consumer.

Businesses are already starting to reach out beyond the corporate website and email newsletters to meet customers where they work and live. Think of the Amazon Echo – a device which can reach consumers in that micro-moment when they decide to purchase a product. When do you realise that you’re running out of toilet roll? When you’re in the bathroom. No need to remember that fact when you’re out shopping, just call out Alexa’s name and she’ll place the order for you. Problem solved.

These platforms will get smarter and more capable in time, ensuring they really get to ‘know you’. Amazon is already spreading Alexa to more developers to increase the utility of its service, and to ensure she grows smarter as more data sets connect to her. So it would seem that organisations will see a growing demand to personalise their products and services, as consumers and clients will see it as an acceptable trade-off. More data, not less, will indeed be the future. It’s also why I believe that most people will generally not invoke their ‘right to erasure’ under GDPR, as they’ll see the loss of convenience to be the greater issue.

Yes, GDPR is coming and yes, if you do something spectacularly dumb (I’m looking at you, Equifax), then there will be a significant punishment. But the benefits of retaining personal data would still seem to outweigh the risks for both the business and consumer. So there’s really no need to be alarmed about the impending arrival of GDPR. Just get your data in order, get compliant, invest in protecting that data and remain consistently transparent with your customers.

I’ll drink to that!

Vince Warrington

I’m a Cyber Security & Information Assurance professional with a passion for changing attitudes towards how we protect our data, whether that be on a professional or personal level. My aim is to move businesses, charities and government departments away from traditional IT Security to a model where everyone in the organisation works towards the common goal of protecting information through joint responsibility and coordinated thinking.

I’m a member of the Information Assurance Advisory Council (www.iaac.org.uk) and the UK Cyber Security Forum (www.ukcybersecurityforum.com), and I’m working towards increasing the number of females, minority groups and those with Neuro Diversity in cyber security. I also believe that security businesses must evolve to create the environment required to encourage people into the profession, which will help ease the current predicted shortfall in trained experts.

I have worked on a wide range of projects for a number of organisations, including;
– GlaxoSmithKline
– Diageo
– Euromoney Institutional Investor
– Aramco Overseas Corporation
– Metropolitan Police Service
– Foreign & Commonwealth Office
– HM Treasury
– Skillshare International

I founded Protective Intelligence as I discovered that traditional IT Security, whilst becoming increasingly effective against some forms of attack, was poor at preventing accidental data leaks and extremely weak at delivering effective security awareness training. Our goal is to move organisations away from relying upon technology alone to reduce risks, and foster a culture where everyone understands the role they have to play in protecting data.

Have Your Say: