Brexit or no Brexit, the UK will next year be subject to new European Union legislation governing data privacy
There’s one date that has many in the insight economy quivering in their boots and that’s May 25, 2018. This is when the landmark EU legislation, General Data Protection Regulation (GDPR), comes into force. And despite Brexit, it will shake the world of UK data privacy to its very core.
Consumers across Europe will soon have a fistful of new rights, including the right to have personal data deleted, fresh access rights, new civil liberties around data portability and consent, as well as the right to be informed of data breaches. The list is long, going beyond the UK’s Data Protection Act and bringing 21st-century, digital-age, law and order to the wilds of data use.
GDPR gives power and control of personal data back to the individual, and follows a trend that’s occurring in other parts of the world – a demand from consumers that organisations understand and mitigate the risks when they handle our details. The law is also aimed at promoting trust. Only one in four UK adults trust businesses with their data, according to a survey by the Information Commissioner’s Office (ICO).
With extra-territorial effect, research agencies, data processers, collectors and anyone who handles our information will have to comply. You can be in Hong Kong and analysing a survey from Hull, it will affect you. This legislation also has teeth, with fines of up to €20 million or 4 per cent of global turnover, whichever’s greater.
“The potential fine is so high now that it can’t be ignored. The sum is the first thing that grabs people’s attention,” says Jessica Santos, global compliance director at Kantar Health, a market research firm.
And with the annual turnover for some of the biggest historical abusers pushing into the billions, this could result in some jaw-dropping penalties, once the preserve of antitrust violations. In the light of past data breaches, Tesco Bank, TalkTalk and Yahoo! would have all been severely punished by this new legislation.
So, when asked about preparation for GDPR only Yahoo! responded: “The privacy and security of our users is a top priority. We’re actively working internally and with industry peers to develop an implementation strategy for compliance with the GDPR,” according to a spokesperson.
This is the standard response many companies give. As Ms Santos points out, how well your organisation is doing to meet GDPR is highly classified. If you say you’re compliant, you could soon be investigated by the authorities as a test case; if you put your hands up and say you aren’t, you could also be audited.
Businesses are unprepared
The issue is that companies are still scratching their heads trying to understand what GDPR means to their business. There’s a myriad of surveys showing how unprepared companies are. The practical scope and potential implication of this legislation are also still being debated by regulators, trade bodies and privacy lawyers.
The scale of the task is not to be underestimated. At least 75,000 new data protection officers will be needed worldwide in response to this EU law, according to the International Association of Privacy Professionals (IAPP).
“GDPR is not a box-ticking exercise,” says Michelle Goddard, director of policy and standards at the Market Research Society (MRS). “It’s about a whole cultural shift within an organisation. It will need systemic change and it’s not without a cost to business.”
However, the market research and business intelligence community is in an advantageous position. The sector has always treated data with the utmost respect, going to great lengths to anonymise people’s details.
It will need systemic change and it’s not without a cost to business
Unlike direct marketing, market research is about people like you, rather than you personally. It’s about segmenting not profiling. When consumers agree to be part of a survey they enter into a social contract of informed consent where their details will be withheld from third parties.
“Effectively we are data businesses, our assets are intangible and we cannot afford to lose the trust of the people we poll and research. Many companies are already data compliant because of this. So, market research is in a good place with respect to GDPR,” says Ms Santos.
The greatest impact that this legislation will have on the insight economy is that all companies handling EU citizen’s data will be accountable, including data processors and controllers, as well as handlers, in fact everyone along the data supply chain.
“Historically, processors used the excuse that they didn’t control the data and therefore did not have accountability for the information,” explains Paul Prior, managing director in the performance analytics practice at FTI Consulting. “This legislation will result in major changes, including accountability for all categories of personal data that’s processed. Data owners will also need take a more proactive role in the identification, management and reporting around personal data.”
The data protection agency here in the UK, the ICO, is now talking up GDPR as a real opportunity, heralding the legislation as a proverbial carrot rather than stick. “Get data protection right and you can see a real business benefit,” says Elizabeth Denham, UK Information Commissioner. “It offers a pay-off down the line, not just in better legal compliance, but a competitive edge.”
The idea is that we as consumers will be more attracted to companies that are respectful of our data, our rights and the privacy of individuals. Over time, the ICO believes, GDPR can play a greater role in consumer choice. And when everyone is supposed to be compliant by May next year, then the real window for competitive advantage is right now; after that all corporations should be on a level playing field.
Investors have also started punishing corporations for data security breaches. A company listed on the FTSE 100 becomes worse off by roughly £120 million in the wake of a breach, according to a study by Oxford Economics, while share prices fall by an average of 1.8 per cent.
“If companies start taking data management seriously, they will create a positive response loop that will enhance trust in the digital economy,” says Omer Tene, vice president of research at the IAPP. This is what the ICO, MRS and IAPP, as well as the EU hope, that this legislation will lead to good information governance and install confidence among consumers to continue sharing data.
Consultancies and security advisory companies are also selling GDPR as a way for organisations to take a radical step back, examine the way they deal with personal data, and build governance and privacy into the whole process.
“It will give organisations a better understanding of the personal data they need and what they are allowed to use it for,” says Stephen Bailey, executive principal consultant at NCC Group. “The nightmare scenario would be buying an organisation for its personal data only to find that you do not have the right to use it in the way you want to.”
Dr Goddard at the MRS imagines a time when big corporations send out GDPR audit requests themselves. There’s no doubt that the business of data will never be the same again.