By Nicola Howell, Senior Privacy and Compliance Attorney, Legal at Dun & Bradstreet
November 25th, 2019, marks 18 months since the Global Data Protection Regulation (GDPR) was enforced.
Like any 18-month-old, GDPR is making its mark on the world, even if it’s not fully understood by those who deal with it each day. Before its introduction, the GDPR was met with hesitation. This quickly turned into a scramble as businesses rushed to meet the May 25, 2018, deadline.
As a result, many organisations were, and remarkably still are, unprepared; less than a third (28%) claim to have successfully achieved GDPR compliance.
Compare this to a GDPR readiness survey a week before the deadline that found 78% expected to be prepared by the time the regulation came into effect, and it’s clear to see that many organisations have fallen behind.
A lack of readiness has led to serious repercussions too. High-profile fines faced by Google, BA and, most recently, Facebook highlight both the challenges posed by the regulations and the high-profile consequences of getting it wrong.
The Information Commissioner Office’s (ICO) ‘Guide to the GDPR’ is a good way to help understand the basics of data privacy and information rights.
Handing users back control of how their data is used and processed was an important and widely lauded step. However, eradicating misconceptions of what can and cannot be processed is a vital next step if business leaders are to achieve GDPR compliance.
Not all data breaches are created equal
One example of a myth that needs busting is around making a breach notification.
For the first time, all companies – not just telecommunication organisations – are obliged to notify their Data Protection Authority (DPA) within 72 hours or face severe penalties. This is a deliberately stringent requirement that has – and will continue to – cause sleepless nights for some (again, like many 18-month-olds).
Yet not every breach requires a notification to the DPA.
Only breaches that could cause harm to individuals’ rights and freedoms need be notified. The ICO, is the UK’s DPA and was established to uphold information rights in the public. It defines personal data breaches as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.”
So, a hack that reveals bank passwords or patients’ files at a hospital would have to be escalated, but the loss of a staff email list likely wouldn’t.
This is an important distinction that can provide much-needed clarity. Reporting every single breach will only cause unnecessary panic, complication and is cost-inefficient.
Fines are the stick, trust is the carrot
The GDPR gave consumers control of their personal information: how it is processed, used and shared. It was an important evolution in a world that continues to shift online, and it was clear from the inception of GDPR that businesses would face big fines for misconduct.
Even before GDPR was introduced, eyes were on who would receive the first big penalty. While the high-profile cases have provided critics with much-needed headline fodder, there is scope to take a more positive and less punitive approach to GDPR commentary.
The rewards for GDPR compliance extend beyond the meagre reassurance of not being fined. The same Capgemini research that identified low levels of compliance also found 81% of firms who are compliant reported positive impacts on their reputation and image. Almost all (92%) say it has helped them to gain competitive advantage.
As well as rightly handing control of personal data back to the people, being GDPR compliant is good for business. It sends a message to customers that their personal data is valued and that a business is competent and trustworthy.
As an added bonus, businesses that move quickly will be ahead of two-thirds of their competitors.
Next step: ePrivacy
Even if, in a hypothetical world, there are no more high-profile GDPR breaches, data protection law won’t be absent from headlines for long. The ePrivacy Directive – soon to become the ePrivacy Regulation – is set to be the next iteration of data privacy law and will set out more specific privacy rights on electronic communications.
The scope of the new ePrivacy Regulation would apply to any business that provides any form of online communication service, uses online tracking technologies, or engages in electronic direct marketing. So far it has a bumpy and delayed ride through the EU legislative process since the first draft was released in early 2017. It is still under intense debate and will not be finalised in 2019, so implementation before 2022 is unlikely.
For the many businesses it will apply to, the new ePrivacy Regulation may cause as much disruption and require as much preparation as did GDPR. Attention should be paid to the final version – that will likely be released in 2020 – in order to stay ahead of the game. Businesses that prepare to be compliant from day one – like the 28% of businesses ahead of the game on GDPR – will have a distinct advantage over their competitors.