Deprioritising GDPR – Is it a Risk Worth Taking?
Europe’s General Data Protection Regulation Act comes into force in May 2018. Companies who store or process personal information on European individuals would have had two years to understand the requirements and formulate a strategy for compliance. My experience in working with regulatory affairs people in the pharmaceutical industry is telling me that there are always three key questions at the senior executive level when assessing the effort (time and money) to invest in compliance:
- How can I ensure my company fully complies with the law?
- Will it really be enforced (and by the date originally stipulated)?
- What is the probability of us being fined?
These are fair questions. All organisations have limited budgets, and many are being pressed by shareholders, owners and boards of directors to show positive return on every euro invested. The answer to question 1 may not be an answer senior execs will appreciate. GDPR on the surface looks costly. It requires organisational change (including appointing a data protection officer), affects business processes (how do you gain and record consent) and potentially most challenging – it requires you to be in control of a broad set of data that could reside on premises, in the cloud or with business partners. If the answer to question 2 is “no” or “probably not” or the answer to question 3 is “low”, a decision to spend euros on projects that positively affect the bottom line vs. a compliance project can seem very tempting.
Personally, my bet is that we will see early and regular activity in terms of investigations into breaches of the regulation. But, first things first – how real is GDPR in terms of timelines and enforcement?
Here are my top 3 reasons why I believe DPAs will begin enforcing GDPR in May 2018:
(A) There are no dependencies
Unlike other regulations, there are no excuses for either the regulators or industry to delay compliance or water down requirements. We are not waiting for implementation guides, clarifications or regulation bodies to ready their systems to judge compliance. Everything you need to know about compliance has been published and data privacy initiatives are not new – legal advice is to hand for those who need it.
(B) Personal data is entrenched in business processes, which puts it at risk
The publication of GDPR within the European Journal specifically points out that technological advances “allow both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities”. The digital transformation that is now unfolding in all industries and public authorities runs on personal data. The closer the organisation is to an individual, the more data it will need to deliver the personalised services and products individuals are increasingly expecting. As long as people are parting with personal data and living in an increasingly digital world, governments will seek to protect their citizens online as in the physical world. I don’t see this digital trend reversing in the near future.
(C) Europeans value their privacy
European surveys tend to show individuals guarding their personal data more closely than other regions in the world. Of course this differs by age group and country to some extent, but most Europeans only part with data if they see some value in return, or are not willing to part with data at all. A 2015 Eurobarometer[i] survey showed the majority of respondents supportive of the general requirements of GDPR. In short, this is not only another piece of EU legislation thought up by bureaucrats, it broadly represents the desires of European individuals who are increasingly aware of their data being stored and used without their full understanding of the purpose.
Question 2 – what is the probability that any individual company will be fined?
Perhaps this is the wrong question to ask. Whilst the fines are quite daunting (between €10 and €20m or 2- 4% of global annual revenue, whichever is greater) – damage to brands that are perceived as treating personal data without the governance and security it deserves can be much higher. GDPR also allows for compensation for individuals over and above the fines, so individuals may be more inclined to file a complaint if there is a financial benefit to themselves. I would propose an alternate question:
What is the probability of financial or reputational damage?
I’m not going to hazard a guess at this figure. However, there do seem to be factors which increase the probability of a company incurring cost due GDPR non-compliance:
- There are 426 million potential investigators into breaches of the regulation[ii]
- Data privacy breaches seem perfect for class action lawsuits
- Information rapidly spreads throughout the world by social media and news agencies, escalating brand damage rapidly, and galvanising concerned individuals.
Regardless of the fines and compensation which will make headlines, without strong data governance internal customer care costs can spiral out of control.
The Eurobarometer survey showed 67% of interviewees not being satisfied with the control they have over the data they provide online. If only 1% of these decide to invoke their rights to enquire about their data, or demand to be forgotten, that would be roughly 2.8m inquiries to a call centre. This equates to +- 325 inbound calls per hour 24 hours a day, 365 days per year. Which makes me curious as to how long it will take to provide a satisfactory answer to every inquiry given the typically fractured IT environments within large organisations.
An extreme example – but clearly shows the importance of good data governance in meeting the demands of the GDPR.
In summary, my belief is that DPAs will begin aggressively enforcing the GDPR when it enters into force on 25 May 2018. In addition, a do-nothing strategy in a complex data environment could see costs mount even without fines or compensation claims due to additional load on internal staff and procedures as concerned individuals exercise their rights to data privacy, control and portability.
This brings us back to the original question which executives will be toying with:
How much should I invest in GDPR compliance?
I don’t believe you can answer that before you understand your risk. In this case, risk of additional cost after May 2018 is directly correlated to the amount and distribution of personal data within your organisation, and how well it is managed. Those who have already invested in data governance will not have too difficult a transition compared to those who have limited data governance in place.
The fastest way to understand your risk is to leverage software to deliver data security intelligence to answer questions such as:
- What personal data are you processing and/or storing?
- How exposed is this data to a potential breach?
More challenging, and perhaps more likely to be the subject of legal complaints and fines, are questions around business processes:
- Is data usage consistent with consent given by individual?
- Are you able to honour data subjects’ rights?
I’ll share my thoughts on consent, rights and the crucial role of personal data in today’s business processes in my next blog.