It’s time for UK companies to stop running risks with GDPR
A full knowledge and understanding of GDPR should now be at the heart of operations for any UK business, says James Kelly, GDPR specialist at compliance training group iHASCO.
A full knowledge and understanding of GDPR should now be at the heart of operations for any UK business, says James Kelly, GDPR specialist at compliance training group iHASCO.
Despite having had more than a year to establish enterprise-wide compliance with GDPR, many UK businesses are still running massive risks by failing to do so. What’s more, with artificial intelligence (AI) now having a tangible effect on business through the Internet of Things (IoT), blockchain and other innovations, and with cybercriminals operating at an industrial scale, the problems caused by non-compliance are set to get much, much worse.
Yet, research conducted in late 2018 found more than 70% of businesses failed to meet GDPR requirements, with retailers being particularly lax. At least some of this non-compliance is due to businesses being frankly unaware of the data that have and where it is stored, but regardless of cause, a more recent study shows that the lack of compliance persists.
In 2019 and beyond, this is simply not a tangible position for any business to hold. Far from being just another admin burden, GDPR is a vital safeguard against proliferating threats and a practical means by which to optimise the use of data. It could be argued that GDPR has come at exactly the right time, as digital transformation in our personal and business lives makes data one of the most valuable commodities around. Data is power. Companies who can access, use and process their data optimally can turn that ability into a serious commercial advantage. Which begs the question, why would managers not prioritise GDPR compliance?
Why does GDPR compliance matter?
Failure to comply with GDPR can lead to crippling financial punishment from the Information Commissioner’s Office (ICO) but perhaps more worrying is the threat of reputational damage. In a global marketplace being transformed by digital, success lies in the ability to process data in a way that facilitates engagement with customers, and personalised client journeys. The loss of reputation that accompanies a data breach or GDPR transgression threatens that possibility: studies show that 80% of customers will abandon a company in light of a data breach and 87% will defect to a competitor if they don’t trust the company to handle their data properly.
A year on from GDPR implementation, we have seen many enforcements across Europe, including huge fines levied against tech firms. Meanwhile, the high standards of data management enforced by GDPR are prompting countries outside the European Union to enforce legislation of similar type and stringency, making GDPR-level compliance often mandatory for global trading.
But the threat of sanction is just one reason why businesses should worry about GDPR non-compliance, and why they should be trying to fix it. There are others, and one looms largest of all – cybercrime.
Unfortunately, 2019 may be remembered as the year cybercriminals finally scale up their operations to a level rivaling that of the businesses they target. Perhaps we should call it ‘the year of the data breach’? Already this year we have seen data stolen or illegally accessed from WhatsApp, Microsoft 365, telecoms firm EE and parenting website Mumsnet. In the UK alone, more than 10,000 data breaches were recorded between May 2018 (when GDPR cam into force) and February 2019.
Cybercriminals target the very data that GDPR was established to protect, and they are not particularly fussy. Data – even the most mundane pieces of data, like phone numbers, e-mail addresses and dates of birth – are routinely sold on the dark web every minute of every day. And with greater volume comes greater profit, which is why cybercriminals have been so enthusiastic in applying AI to their work.
Cybercrime is a massive and growing threat to UK businesses of all sizes. For the overwhelming majority, it is not merely a matter of ‘if’ the business is attacked by cybercriminals, it’s a matter of ‘when’ and ‘how frequently?’
GDPR is a key line of defence against this threat, because GDPR-compliant data greatly reduces the risk of sensitive data being available to cybercriminals. Savvy companies also satisfy themselves that GDPR is being observed throughout their supply chain, since many share sensitive data with third parties – data that could, rightly or wrongly, be associated with them in the event of a breach.
In the digital era, it is important for businesses to know their customers well and to proactively engage with them. The aim in the omni-channel age is to provide a personalised customer journey that builds loyalty and repeat custom. Using data to meet, or even better to anticipate and then meet, customers’ needs and desires is an excellent way to build a business.
Yet as we have seen, while customers value such engagement highly, they will also be quick to decamp if they suspect their data is being mishandled. In that context, GDPR compliance operates as a gold standard guarantee in customer service, branding and even PR.
The use of AI is rapidly gaining traction in many sectors of business in the UK, and AI-driven innovations like the IoT and smart devices are one means by which brands are gaining market share. But there are GDPR implications here, too, that many businesses overlook.
It is pretty clear that Alexa and Siri et al are processing personal information but what about that facial recognition camera that opens the warehouse doors, the biometric smart cards you use for staff ID or the smart sensors that switch heating and lighting systems on and off? Smart fridges, voice-operated televisions – what personal data are they receiving, where is it going and for how long? The businesses operating them need to know and that need will grow exponentially alongside the IoT itself.
The much-heralded blockchain is another business application with GDPR implications, although it could be argued that blockchain will make GDPR compliance easier rather than threaten it.
As we have seen, the reasons to comply with GDPR are many and varied. But too many UK firms are not compliant. This may be due to a lack of organisation (not knowing what data they have and where), a lack of personnel, time, awareness or training. Whatever the reason, it is an exceptionally dangerous place for any business to be and prompt escape, in the form of high-quality training and speedy implementation, is crucial.
But for all businesses, even those who believe themselves to be GDPR compliant at the moment, there is another fact to consider. GDPR compliance is an evolutionary process, because the way we do business is evolving – perhaps more rapidly now than at any time in recent history, thanks to tech. You may have everything you need in place now to meet GDPR demands, but all it takes is for you to add some AI capabilities (a chatbot, a smart speaker, biometrics) at some point in your process, or to migrate data to the cloud, or any number of other perfectly sensible initiatives, and you will have to look again. And this applies whether you are a multinational or a small business.
The way we think about data is at the heart of this. Personal data does not belong to businesses, but to the people who share it to secure goods or services. If (and only if) they permit it, firms can use that data to build open and productive relationships with current and prospective customers, smooth touchpoints and streamline processes, personalise customer journeys, gain custom and make everyone happy.
But if those businesses lack permission, or stray beyond its bounds, they will lose customer confidence and in all probability, customers. This will be much worse if they also lose that highly valuable data to a data breach, malware or other cybercrime.
And that’s why a full knowledge and understanding of GDPR, regularly maintained through training and revision of protocol, should now be at the heart of operations for any UK business. Moreover, that understanding must be updated with every advance in technology every new initiative and with the ongoing progress of the business.
Unfortunately, we know that too many UK business are failing in this regard and breaking the law. They might get away with it – for a while. But when we consider that tech giants like Facebook and Microsoft (who, we assume, know a thing or two about data) have had the personal data they hold breached at least once, it seems unlikely to work as a long-term strategy.
For the rest of us, the only intelligent option is to recognise the substantial value that GDPR adds to any business, remember that data is a valuable commodity lent to business by clients, but not necessarily permanently gifted, and ensure GDPR compliance through good training and audit, regularly updated.
And given the data breaches that have already afflicted tech giants this year, who knows who may (or at least, should) be taking that next GDPR training course alongside you?