Interviews

GDPR viewpoint

by Mark Rowe

Concerted promotion by consumer groups of new rights under the General Data Protection Regulation (GDPR) could be more disruptive to businesses across sectors than the “TripAdvisor effect”, with yet more control over the future of brands and marketing strategies shifting away from companies and towards consumers and employees. That is according to a new risk analysis paper on GDPR from the technology law firm Boyes Turner.

The UK data protection regulator the Information Commissioner’s Office (ICO), in particular, is expected to launch a major PR offensive in early 2018 alerting consumers to their new rights as “data subjects”, the firm suggests. Add the ability for consumers to bring collective “class action” type claims where they feel their rights have been breached, there is a clear risk of litigation and of significant disruption to businesses and their working practices, according to the firm. The report can be read here http://www.boyesturner.com/our-expertise/gdpr.

The paper suggests that unprepared companies will face increasingly heavy resource burdens as a growing number of consumers demand to see and withdraw all data held on them, projects the paper. The removal of “implied consent” and “opt out” models will place a further strain on data departments.

Top fines for breaches under the European regulations will be as high as 20 million euros or 4pc of annual global turnover – whichever is the greater. The regulations come into force in May 2018 and will continue to apply despite the 2016 vote for Brexit, with proposals to enact them in UK law already unveiled by the UK Government in the Queen’s Speech.

Sarah Williamson, partner at Boyes Turner and speaker and author on data protection and security issues, said: “If consumers are encouraged to take up their new GDPR privacy rights en masse, the impact on a wide range of businesses could be more disruptive than the tech-driven consumer empowerment forced by the likes of TripAdvisor and other consumer review and price comparison technologies. Like these disruptors, companies that have used the GDPR as the catalyst for getting a handle on the value of holding, handling and utilising consumer data in compliant ways can be big winners. But for the underprepared, if it isn’t the GDPR fines that get you, the large-scale, ongoing disruption from consumers checking, demanding changes to or legally challenging data held on them could.

“Urgent action is required now to ensure businesses know what data they hold, are able to access it quickly and action change requests with minimal bureaucracy and disruption. There are real opportunities for firms to become more agile and effective in their use of consumer data. But there are also real risks that those that get it wrong will be so tied up in GDPR red tape they won’t be able to deliver their real business priorities.”

Processing of data by artificial intelligence is another area where the report warns that, despite the GDPR deadline of May 2018, regulatory uncertainty remains – further complicating the challenge of becoming and remaining compliant. The ICO only recently closed a consultation on the processing of data by algorithms, meaning clear guidance on this fast moving area is not resolved and available.

Sarah Williamson said: “Machines are making decisions about how data is processed and how that data is used. If these robotic decisions about data handling risk breaching GDPR obligations, organisations could be leaving themselves wide open to challenge. With official guidance not available, organisations need to internally test to destruction where algorithms could be leaving them exposed to huge fines and business disruption”.

The report warns that some companies are so far behind in preparations for GDPR that they can’t hope to be fully compliant by May 2018, meaning a rigorous gap analysis and risk management process will be needed to ensure effort is prioritised where gaps are largest and risk greatest.

Sarah Williamson added: “While some companies we spoke to are well ahead of the game, many have a long way to go. The best prepared are already demonstrating a ‘privacy by design and default’ approach. The benefits they derive in terms of consumer trust and confidence will mean they are able to continue to profit from well-handled and effectively used consumer data. However, full compliance by May 2018 will simply not be achievable for many.

“With eye-watering fines in the offing, and with guidance from regulators still unclear in places, firms need to be adopting a risk management and gap analysis approach, prioritising action on the areas where they have most to gain from action or most to lose from inaction. With so many different parts of the business impacted, it is possible some firms may be fully compliant and reaping the benefits in, say, HR or marketing, but wide open to fines or a loss in consumer trust from an exposed flank.”

Related News

  • Interviews

    Red teaming

    by Mark Rowe

    Pictured is Dhruv Bisani, Eurofins Cyber Security’s (Commissum) Head of Red Team, who writes of red teaming as a defence tactic against…

  • Interviews

    Encryption online debate

    by Mark Rowe

    Recent terrorism in the UK has reignited the debate about the use of encryption online, writes David Emm, pictured, principal security researcher…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing