Close to the conception of GDPR in 2012, EU Justice Commissioner and former Vice President of the European Commission Viviane Reding stated that: “European data protection rules will become a trademark people recognise and trust worldwide.”
Those remarks were followed by years of deliberation and debate that affected every organisation with operations in Europe.
It was an ambitious goal, one that saw the GDPR enter into force in 2016, with full enforcement today. Entities doing business in or with the EU must now be compliant.
Earlier today, Information Age spoke with Monica Atwal, Managing Partner at Clarkslegal LLP, a commercial law firm, about the impact GDPR has had on organisations and the changing value of data.
Businesses have had a to face a big challenge with GDPR – to your mind, what have been some of the biggest challenges?
“With GDPR, businesses have a lot to consider. I think primarily they are concentrating on how it relates to their customers. Businesses have been trying to determine if the relationships with their customers are legal and whether or not they have consent or a legitimate business reason to use the data that they collect from them.
In the wake of the recent Facebook – Cambridge Analytica scandal, businesses also need to think about the third-parties that have or may have access to their customer’s data.
Security is a big issue. Businesses need to know if the record keeping processes that they have in place are safe and fit for purpose.
Businesses have been working to make sure that they are not only trying to stop cyber attacks, but given the nature of cyber criminals having the ability to stay one-step ahead, businesses also need to show that they are doing the utmost to prevent them succeeding.
Business leaders only have to look back to what happened with Carphone Warehouse and TalkTalk who were both fined £400,000 by the ICO (Information Commissioner) because they failed to do enough to prevent a cyber attack.
With GDPR this issue is highlighted. The fines are scary and there is a very real risk of being hacked.”
Many organisations are worried that they are not prepared for GDPR, and according to research, some organisations have actually put money aside anticipating fines. What are your thoughts on this?
“It is a radical and comprehensive piece of legislation, you really do need to have a very sophisticated mapping process especially if you are a medium sized business or larger.
You have to look and consider carefully what type of software and IT provider you use. You need to also look at training schemes for your staff to be prepared.
But with that said, the regulation has highlighted to people where they are likely to have weaknesses. I wonder if organisations are really putting money aside, as they would be much better off doing the work they need to do to be compliant. This is just business, data is the most important aspect that any business has, whether it is data on their customers or employees, data is all they are worth.”
You recently stated that “data is fast becoming more valuable than gold.” Do you think consumers are aware of this?
“I think there is a big issue with individuals not realising that their data is valuable. I hear a lot of people complaining about all the emails they are getting from organisations asking them to re-subscribe.
However, this is highlighting their data footprint, these emails mean that all these organisations use their data.
Computers know people’s buying habits better than they do themselves. I think people have to realise that they need to take more control of their data and be more mindful.
We like to think we cannot be manipulated into doing things, but we can.
I think there is some education to be done and consumers need to take more responsibility. If you look at Facebook, they have updated their privacy notice, they have taken steps to articlate that something like the Cambridge Analytica scandal wouldn’t happen again.
But if you look at Facebook’s new privacy notice, it’s vast, how many people actually read this?
In it, they are clear that they are analysing your data and keeping a record of your political views and habits.
Data is valuable, you should treat valuable things with care. People look after their phones better than their data.”
How should businesses react to this going forward?
“There’s no problem if you already have ‘legitimate purpose’ meaning you are already in a relationship with a person, so there are good grounds for using their data. Provided you use it the way that the customer would expect it to be used and it has a minimum privacy impact.
The issue is that you cannot assume you can move that data to another list, such as another marketing list for selling other products. That is why it is important to establish new consent.
However, at the moment people are getting emails from companies they haven’t bought from in years and they want to keep in touch and are not sure why.
Instead of just begging people to stay, you should show how the data is being used to benefit them.
Say an individual subscribes to a magazine about cars, if you were to articulate that you wanted to send him additional information about products relating to cars, such as cleaning products or relevant events, he may understand and say okay.
This is an opportunity to develop trust and a much more intelligent selling relationship.”