GDPR probably won’t decimate businesses but it might leave some burned
Regulatory Compliance

GDPR probably won’t decimate businesses but it might leave some burned

The impending threat of GDPR is giving European marcomms professionals an excellent boost. Now there is a plenty of spurious web research to be delivered for a wealth of “Shock! 92% of businesses are not prepared!” headline stats.

The reality is probably a little bit more nuanced than this blanket panic picture being presented. But GDPR is new – pretty stringent, with some hefty fines – and has the potential to have a big impact on a lot of global businesses. However, there is no real reason why any should come truly unstuck providing they are prepared and have not been taking a morally dubious an approach to individuals’ data in the first place.

The first most striking thing that seems to get forgotten about with GDPR is that this European ruling impacts any business that deals with European citizens’ data. This means that while in Britain and Europe the concerned headlines are frantically doing the rounds, this is still largely under the radar of international firms based outside the region. It seems likely that this could cause some difficulties in the run up to May 2018.

The second thing that seems to emerge most strongly is that while there is a lot of talk about specific rulings – like right to be forgotten – what might prove the biggest fundamental challenge for many businesses is knowing exactly where their data is, so they can comply. This is not, therefore, so much about ticking the necessary legal boxes but about getting a true handle on their data, which may be duplicated for testing, stored with third party partners or simply transferred willy-nilly across employee devices so they can work remotely.

Yahoo! – and the other “we were breached years ago and only found out last week” reports emerging with alarming alacrity – just go to show how little clue many large companies have about their data. I suspect a great chasm of irony exists between the shiny sales collateral which proudly proclaims many a “data business” and the real-life scrabble of replicated Excel spreadsheets manually updated and emailed at random by poor saps on the minimum wage. There may be fundamental cultural issues that need addressing here in many organisations.

It seems likely that businesses that have already been regulated to the hilt – like financial services – may, in some ways, have a tougher time complying with GDPR, but because of the nature of their business are already well on the journey. These types of companies either have explicit financial worth in their data or Intellectual Property that has a clear market value. This direct monetary figure on the data means most already have clearer storage and handling processes and are better prepared to tackle security breaches.  

GDPR is pretty categorical for an EU regulation but as it is brand new there is still quite a bit of uncertainty around how the rules might be interpreted in practice. Stipulations like individuals must provide ‘explicit consent’ for the use of data could mean a number of things and these types of grey areas might have a serious impact on industries like marketing. This often has a somewhat lax approach to data and privacy, and often sees employees stalking individuals round the web and harvesting their details off social media.

This new focus on individual rights can, in turn, breed a different kind of panic in businesses with concerns that whole industries – those which build their revenue on gathering and selling data – could be entirely decimated by the ruling. Yet this type of concern is probably a little premature. As long as businesses are prepared – have a handle on their data – and are not too nefarious in their existing practices, with a legally defensible position on each grey area, they should be fine.

Europe, as a continent, may be incredibly concerned about privacy but individuals themselves are still generally quite negligent. The overwhelming mass of data breaches have still not really stopped people from using one password across multiple sites. While the terms and conditions that need ticking to do anything at all really are always likely be too long and boring for the majority to read. The truth is people know they have to swap their data for all kinds of goods and services and most will never be bothered to exercise their new found ‘right to be forgotten’ unless they become stupidly angry with a company.

Overall GDPR forces business to be less slap dash with individuals’ data and also makes them work that little bit harder not to annoy customers. There is no real reason why anyone should come a cropper from this – although the first one to run astray of the rules may be guillotined as an example. Yet companies do need to be aware that this is happening, they do need to realise GDPR impacts any international organisation which deal with European citizens’ details, and above all they must have good visibility on their data.

 

 

Also read:
From insular US firms to spammy marketers: Who will GDPR hit the hardest?

PREVIOUS ARTICLE

«How to expand into Africa – and stay on the right side of the law

NEXT ARTICLE

New UK security handbook provides local, board-level cyber info»
author_image
Kathryn Cave

Editor at IDG Connect

  • twt
  • twt
  • Mail

Comments

no-images

Ray Collyer on February 09 2017

Good article Kathryn. Unfortunately most of the topics coming out talk about Cyber data issues and paper based data issues but very rarely is the issue surrounding electronic data and the government approved methods that should be used to destroy this type of data and the ethical ways that these devices should be disposed of, ONCE the data has been destroyed ON-SITE, discussed or explored. Many IT disposal companies are based on collecting the equipment containing personal data, signing for the equipment at the back door and transporting this kit with data to their warehoused for disposals. This method is completely putting the client at risk of data loss/breach. Invariably co's use sub-contract or agency staff, transport the kit in vehicles clearly marked with the co' name and description of what they do, use staff that are not SC Police Cleared. They often use shredding as a way to destroy data which is not a UK Government approved methodology, merely a way of hardware destruction, need I go on! Companies need to research and put in processes that ensure their IT asset disposal suppliers conform to InfoSEC i5A methodologies, have all the required UKAS accredited ISO certifications which cover the ENTIRE scope of their business etc...etc.. Sorry but we are serious about our business and we want at all times to protect the client, first and foremost against the risk of breach. Hope this assists anyine that might read this. Kind regards Ray Collyer - Greenworld Electronics Ltd - 07823 320960

no-images

Ray Collyer on February 09 2017

Good article Kathryn. Unfortunately most of the topics coming out talk about Cyber data issues and paper based data issues but very rarely is the issue surrounding electronic data and the government approved methods that should be used to destroy this type of data and the ethical ways that these devices should be disposed of, ONCE the data has been destroyed ON-SITE, discussed or explored. Many IT disposal companies are based on collecting the equipment containing personal data, signing for the equipment at the back door and transporting this kit with data to their warehoused for disposals. This method is completely putting the client at risk of data loss/breach. Invariably co's use sub-contract or agency staff, transport the kit in vehicles clearly marked with the co' name and description of what they do, use staff that are not SC Police Cleared. They often use shredding as a way to destroy data which is not a UK Government approved methodology, merely a way of hardware destruction, need I go on! Companies need to research and put in processes that ensure their IT asset disposal suppliers conform to InfoSEC i5A methodologies, have all the required UKAS accredited ISO certifications which cover the ENTIRE scope of their business etc...etc.. Sorry but we are serious about our business and we want at all times to protect the client, first and foremost against the risk of breach. Hope this assists anyine that might read this. Kind regards Ray Collyer - Greenworld Electronics Ltd - 07823 320960

Add Your Comment

Most Recent Comments

Resource Center

  • /view_company_report/775/aruba-networks
  • /view_company_report/419/splunk

Poll

Do you use any voice/digital assistants to help you work?