What is GDPR and how can we protect ourselves against it?
With GDPR fast approaching and the legislation becoming effective in May 2018, we know many companies are still unsure what GDPR means for them and what they can do about it. We consulted some of our best minds on the speaking circuit to help prepare effectively.
Simon Moores, Director of Zentelligence, futurist thinker and expert on disruptive technologies has said:
“GDPR is fundamentally a standard for the collection and use of online set by the European Union and which will come into force in May of this year. All businesses operating in the EU will be require to be compliant with the opting-in and new data transparency requirements or face the risk of considerable fines up to 4% of their total revenues.
The new regulatory requirements facing any business systematically collecting personal information at scale are both strict and onerous. They'll need a Data Protection Officer (DPO) in place and they'll need a data breach notification plan in the event of a significant data breach incident as the law will now only allow a company 72-hours to issue proper notification to the regulator. If you think back to the TalkTalk or more recently Equifax incidents you can see how the world has changed from a corporate liability perspective.”
So how can companies prepare themselves for this?
There's a great deal to absorb in a very short period of time but most of it, involves both policies, good practice and common sense. Education is very much the key to a successful implementation of the GDPR legislations, but the evidence strongly suggests that the majority of businesses are leaving the matter to the very last minute and the consequences of poor advance planning and preparation may prove very expensive if it can be shown in the future that a business was negligent.
GDPR to make Europe a competitive zone for data-driven businesses
Geoff White, award-winning tech journalist and keynote speaker explains GDPR as “a sprawling piece of European legislation detailing how organisations should deal with data. The idea is to make Europe a competitive zone for data-driven businesses in the future. Enshrined within the regulations is a sense that personal data is now an increasingly valuable commodity. Organisations dealing with such data should be transparent and fair – and anyone abusing it will face stiff penalties.”
What do we need to consider from a cyber security angle?
From a cyber security angle, organisations must get at least the basics right to avoid falling foul of GDPR: knowing what data you have and where it’s stored is a good start. Putting security around the data is the next step. There are no hard and fast rules as to what type of security tech to use, and where to use it. Those I’ve spoken to believe the key thing that regulators (and enforcement agencies) are looking for is whether you’ve approached your data issues systematically, and put in place the kind of safeguards that are reasonable given your size of organisation.
Right so what should we be doing right now?
“If it all seems a bit woolly, that’s because it is. Until the rules kick in, we won’t know which parts will be enforced, and how rigorously. One thing is for sure you should be making a plan and implementing it now.”
"You won't only lose money; your reputation will be shot"
Misha Glenny, international cyber security expert and author of McMafia agrees:
“the most important thing about GDPR is don't, whatever you do, ignore it. Do NOT bury your head in the sand because with fines of up to 4% of global turnover or €20 million (whichever is greater), you can be guaranteed that the European Commission is determined to make an example for any company seeming to play fast and loose with clients' data. You won't only lose money; your reputation will be shot.”
So, in order to protect business funds and reputation, what should we be wary of?
“Before long your customers are going to want to know if you are GDPR compliant and whether you can prove it. If your insurer thinks you are not up to the mark on GDPR, they will refuse cover. And don't think Brexit will offer an easy way out – the UK is adopting all of GDPR. Even US companies doing any business with Europe will need to be fully GDPR. It may seem onerous but it is good for business and even better for your cyber security regime.”
GDPR is a much needed directive
Inma Martinez, a serial entrepreneur, mobile tech pioneer and social engagement through technology expert also explained GDPR to us. Inma said:
“GDPR is a very much needed directive to come into place. In a world exponentially driven by the power of data and data analytics, of A.I. and other data-derived business activities, it was inevitable that governments and regulators would blow the whistle on companies that have abused customer data mining, let alone deployed marketing tactics and customer profiling that infringed the fair treatment of customers.
The most important novelty that GDPR brings forth, is not just the “right to be forgotten”, that is, your right as a consumer to ask a company to delete your data when you are no longer their client, but to award your permission for a company to use your data for the objectives that they intend to carry out. The, above all else, is a first in consumer data regulation and it will impose on companies a higher degree of ethics and governance, of transparency of their tactics and, crucially, the way to prove that you are not treated in a biased way, that you are not discriminated or taken advantage of as a consumer.
With GDPR in place, you the consumer will own your data, you will grant or not grant permission to organisations to use it, and you will be able to withdraw that permission at any time, even at short notice. Data, which used to be “big”, has now become “powerful”, and at last people are aware that such power resides on their side, not on the companies that provide them with products and services.”
How can businesses abide by the GDPR directive?
"Companies need to abide by the GDPR directive, just like they have to abide by accounting laws, trading regulations, and other directives that proved the fair conduct of businesses towards other and towards authorities and consumers.
What GDPR demands is a higher control and management of customer data so that the regulators can verify that you are handling this precious cargo lawfully. Right now, and specially the digital world, is a wild west of practices that call for regulation: why is the algorithm of Alexa biased? Why does it suggest different products to those offered by the Amazon website algorithm? Why can a company set up two websites selling the same clothes to different age groups and setting two different prices for the same garment? Why does my bank sell my data to restaurants, supermarkets and other retail outfits without my explicit consent? The list has been long and full of wrong-doing admissions only found out when consumer groups or investigative reporting in the media brought them up to the public knowledge.
Still, there is a positive angle to adopting GDPR: by protecting and managing fairly your customer data, a company can gain your trust. In a world of “fake news”, transparency of data practices will allow brands to build trust and regain credibility, improve dramatically their customers’ experiences, create 1:1 marketing communications and forge stronger, more profitable customer relationships.”
For further information or to book a speaker, call us on +44 (0)20 7607 7070+44 (0)20 7607 7070 or email firstname.lastname@example.org.