The risks posed by handling PII will be significant in 2018

The GDPR deadline is now less than six months away, and businesses across the UK (as well as many more around the world) are currently working hard to prepare for it.

This, as many are discovering, is no easy feat. It requires a lot of time and resources. And, even for those companies who are compliant by May 25th, the effects of this legislation will live long into the future.

For all the logistical challenges GDPR presents, the legacy of GDPR will likely be far more profound in 2018. We will begin to see an evolution in the way that personal data is thought about and handled by businesses.

Whose data Is it?

GDPR itself has been built upon the notion that ‘everyone has the right to protection of personal data.’ While this principle has been around for decades, it has extra resonance in society today.

At present, scrutiny of business’ handling of personal data has gone mainstream, and discussions around what uses of this personal data may-or-may-not constitute a violation of customers’ privacy are no longer just the province of privacy lawyers and advocates.

>See also: GDPR compliance – the real implications for businesses

This is because – now more than ever – people are waking up to how businesses are treating their personal data as an asset – an asset that people are increasingly viewing as belonging to them, the individual. And, so, they want the right to decide and dictate when and how this asset is used, and they want it protected.

In fact, SAP and Arlington Research’s 2017 report has revealed that over two-thirds of consumers do not trust brands to handle their personal data appropriately. Conversely, a similar percentage of individuals consider it their own responsibility to safeguard and manage their personal data.

This dynamic demonstrates just how true-to-life GDPR’s core sentiment is. The idea that people’s data should be safeguarded as a personal asset belonging to the individual is far more than an ideal, it is becoming the expectation for the average consumer.

Despite this, many modern businesses have walked a tightrope between leveraging personal data to improve the customer experience and causing outcry from these customers.

Data economy

The rise of the on-demand economy over the past decade goes a long way to explain why businesses have been hungry for personal data – at times walking this tightrope precariously.

Nearly a decade ago, innovators like Lyft, Uber, Airbnb, and TaskRabbit had just begun to change the way businesses engage with their customers. Contextualised data enabled companies like this (and many others thereafter) to provide personalised customer experiences in ways previously unimaginable.

With this, consumer expectations have skyrocketed. Now regardless of whether they’re buying movies, food or booking a hotel (or in almost any other interaction a shopper has with a modern business) consumers are demanding personalised service.

>See also: Dark data in contracts poses hidden risk to GDPR compliance

In today’s data driven economy, the ability to access personal data (and extract value from it) is crucial to many businesses – it has, for example, enabled smartphone manufacturers to introduce fingerprint unlocking, and helps voice assistants like Echo to understand your voice.

GDPR builds on existing data protection principles, but with its broader reach and steeper fines, it is changing the calculus for businesses when it comes to their use of personal data.

Businesses might fear that in becoming GDPR compliant, they will be unable to access the data needed to meet their customers’ evolving needs – but they needn’t worry.

Instead, this change – much like those ushered in by innovators like Uber and Lyft – should be treated as a challenge to continue to meet the ever-evolving expectations of the consumer (a consumer who is today demanding more transparency around how their information is used).

Businesses must consequently seize this opportunity to reassess their attitudes towards the personal data they’re handling.

Re-defining data

Out of this introspective (albeit compulsory) undertaking will emerge a mental shift by businesses around how they are thinking about the data they collect and process.

>See also: Protecting employee data is crucial

Currently, their mental framework (born out of the data economy) supports notions of “because this data was processed by our service/company, it belongs to us and we can do with it what we want,” but GDPR compliance will draw companies away from these ideas, instead helping nurture attitudes of “this data belongs to the individual who used our service, but I am permitted to use it under strict conditions.”

Is the “fuel” of the new economy actually more like uranium than oil?

In 2017 the seemingly infinite value of data led many commentators to compare data with oil in terms of the potential for extraction, but today this only paints half the picture.

Placed within the wider context of heightened privacy concerns from the consumer – which have helped bring about GDPR in the first place – a more fitting (and instructive) analogy would be comparing personal data to a different type of fuel – uranium.

Uranium stands apart from other fuels given the risks inherent to handling it. Indeed, the less you handle it and the fewer people who access it, the less likely it is to leak or cause harm.

In the era of GDPR, thinking of personal data like uranium instead of oil is a more instructive analogy. These same principles now apply to personal data – it is something that, unless reasonably necessary, businesses should not collect, access or move about (to avoid an altogether different, but equally lethal, kind of ‘leakage’).

>See also: Benchmarking global readiness for the GDPR

Whilst only an analogy, this dynamic helps to give a more true-to-real-life understanding of the way personal data will need to be perceived by businesses in a post-GDPR world.


Ultimately, GDPR will by its intent and impact enhance privacy rights for individuals in the EU. Today, almost every company in every industry uses personal data for conducting at least some aspects of their business.

The deeper impact, however, of this legislation will be felt in the longer term. Obligations of transparency, accountability, and fairness will help businesses and their employees to understand just how important personal data is – not only the business itself, but to the individual customers it is serving. GDPR represents an opportunity for companies to continue to meet their customers’ expectations.


Sourced by Sheila Jambekar, GDPR spokesperson and associate general counsel at Twilio

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics