The General Data Protection Regulation (GDPR) has quite simply been Europe’s biggest disruptor of the last two decades to the world’s most powerful online communications platform – the Internet. I’m often asked by companies, big, small, local, global, traditional and disruptive: “We’re now GDPR-compliant. Have we gotten privacy right yet?”
I would argue that if you’re still approaching the issue of personal information as a compliance one, you still don’t get it.
There is no denying that it has set a world leading standard. Never before have everyday people been so overwhelmingly aware and understanding of their data rights.
If we take a look at what’s happened since GDPR went live almost two years ago, we can start unpacking how companies should be looking at the value of personal data, and how much more it could be worth if they do start to “do it right”.
GDPR — How does it impact AI?
Since May 2018, the UK’s Information Commissioner’s Office (ICO) has proposed or issued fines worth almost £300m. With over 100,000 reported breaches across the EU, there is likely to be more action coming from European regulators. The volume of contact points with regulators has exploded; for example, the ICO has been contacted over 500,000 times in the last 12 months. Sales delays as a result of privacy-related issues are in the region of 5-6 weeks.
These figures set a stark scene. Break them down a layer further and in reality there have been three core groups that have been impacted most significantly.
Businesses have suffered increased costs, process changes and risk. Employees have had their day to day roles impacted, from the call centre representatives having to pre-empt any conversation with a privacy notice, to the app developer who now needs to incorporate privacy controls into their code. Lastly, the consumer – although today’s online customer journeys may feel like they involve endless website clicking in addition to the usual cookies notice, the impact to consumers has also meant that they have been immensely empowered with a better understanding of their data and their rights.
The two-year mark is fast approaching, and when measuring impact, it’s interesting to see how some companies are still not adapting to survive, let alone thriving, often based on the varied approaches they have taken to GDPR. Some are:
• Continuing to bury their head in the sand;
• Spending large sums on cyber down to the detailed level of database permissions;
• Still investing time updating paperwork – and are beginning to get increased pressure from internal audit assessments as to why no processes reflect the documentation they have in place;
• Exhausted, have not achieved much and are beginning to realise that they didn’t approach implementation in a sustainable manner; which could mean starting afresh;
• Finally coming to the realisation that their “compliant” position is not what they first thought and were so proud of;
• The dream organisations that are persisting and thriving in their attempts to evolve in a positive way.
I often speak to businesses about the need to strive to devise the perfect ‘data compound’. This looks like the precise ‘mix’ of personal data elements that will unlock new opportunities for insight-based decision-making, innovation and revenue growth while ensuring that privacy, security and ethics concerns are effectively managed at all times. In the UK, the GDPR has helped companies with this but there is still a long way to go.
Data dunces — British businesses still not prioritising data literacy
The UK’s recent departure from the EU, rather than closing the political uncertainty, has opened the UK up to potential future changes that businesses will have to contend with. For instance, as recently as last week, Google announced its intention to move the data and British user accounts from the EU to the US.
This comes at a time when data is crossing global borders regardless, every day, and nations from the US to India are grappling to produce regulations that govern these transfers in an ethical and seamless way.
The issue we face globally is that today’s world is culturally diverse, and whilst each approach may be taking GDPR as standard, naturally they will apply their own views and cultures. Regulators cannot be conscriptive about putting in regulation; the culture balance is important and what that balance will be in the UK, will differ from Germany, India and the USA.
The next steps for UK companies and government must start with understanding that cultural and ethical responsibility on balance with technological innovation. There are positive signs from our regulators, including the UK ICO’s recent focus on putting children at the heart of the digital agenda – it will be a challenge for some organisations to comply with the 15 provisions in the code. But in the modern world, young people are spending as much time online as they are offline, and protecting their rights around personal data must be a priority for both government, tech firms and the wider business community alike.
We now exist in an era where our entire existence will be digitised, so when I’m asked to what extent I think that GDPR has impacted the UK – I would answer that it has given a foundation framework for competitive and ethical global advantage, but how we choose to make sure that it is a business enabler rather than prohibitor is up to us.