Sia Partners UK Digital Series: The Top 6 Things CEOs Should Know About GDPR
The clock is ticking down on the General Data Protection Regulation (GDPR) – less than eight months to go now. There are still some firms who are only just starting to grasp the magnitude of change required and the impact it will have on the personal data landscape. As of mid-2017, 76% of FS firms have expressed concern in their ability to meeting the deadline and the requirements in general. FTSE 100 companies would have been fined £25B in the last 5 years based on their publicly admitted data failures. It’s a very big issue. Based on our observations, we’ve compiled the Six key things we think every CEO and business leader needs to know as their organisations strive towards compliance with the GDPR.
1. Data portability is the key aspect of the GDPR that will change how businesses operate, and bring new opportunities
The requirement for data portability sets out the right of data subjects to request their data be made available in machine readable format – a format that can easily be processed by a computer. They may even request such data be sent directly to another organization, which may include as direct competitors. In effect, this is the data equivalent of moving over your mobile phone number from one network to another, or moving your bank account number from one bank to another. This will have two significant impacts. First of these is that firms will need to have the technological capability to make all the ‘Personally Identifiable Information’ (PII) available in machine readable format and delete it from all their systems ‘without undue delay’. With PII data often proliferating across many systems across organisations, including many legacy ones, this is a significant challenge for most firms. The second is that data portability will create new business models. Firms will be able to steal a march on their competitors in their target markets if they are one of the first to be make a ‘data portability’ capability available to potential customers, with GDPR making it easier for consumers to switch from the others. We are likely to see firms, particularly banks, spreading themselves into new markets (e.g. utilities). Imagine your bank being able to request your details from your service providers (energy, water, internet, etc..) – which they can glean from your direct debits – and compare those to your neighbours to inform you whether you might benefit from switching to another provider or move to a better package / deal. It is likely that banks will see this as an opportunity to become data hubs – custodians of not only your money but your data too. Additionally, we would expect firms to step up their communications, customer care and marketing efforts as the lowering of the switching cost should drive firms to give their customers less incentive to switch and more aggressively pursue competitor’s customers.
2. The biggest change needed within organisations is in the culture.
GDPR aims to make firms more liable for the risk associated with holding PII data. Firms will need to adapt their mentality and culture around how and why personal data is used and maintained within their departments. Currently there is still a pervading mentality to collect as much information as possible, even if not directly required. For example, is date of birth needed when getting a new fibre-optic internet connection installed? Firms then often treat this data as ‘their data’. Under the GDPR it will clearly become ‘the data subject’s data’… This is a big change. Firms will now be required to demonstrate that business processes that touch PII are designed to use the smallest amount of data for the shortest possible period of time and not exposing it to employees who don’t need to see it – both at the organizational and system level. Without changing the fundamental culture around personal data management, we believe firms won’t be fully able to ensure the rules are followed consistently. And if not, it is only a matter of time before they will be in breach with the likely consequences being a potential fine.
3. UK firms will need to implement the GDPR – despite Brexit.
This year’s Queen’s speech already referred to the Data Processing Bill that will ensure the UK is compliant whilst it remains a member of the EU (keeping in mind that GDPR comes in force before the Brexit date) as well as ensuring that after leaving the EU it will still have similar standards. The Bill will replace the existing Data Protection Act 1998. And on top of that, GDPR itself will always apply as long as firms, even when located outside the EU, handle data of people in the EU – and that includes many, if not most UK firms.
4. The fines are big but the reputational risk is bigger.
While the 4% of revenues potential fine under the GDPR has grabbed most headlines, far greater damage can occur through the breach disclosure requirements. These state that the firm is obliged to report to the regulator and in most instances to the data subject(s), within 72 hours, any data breaches that affected their data and what data was affected. With social media at everyone’s fingertips, it is likely that data breaches will quickly find their way into the public domain and shared widely. To date there have been plenty of data breaches that would have qualified under the GDPR for disclosure. In 2017 to date alone, Wonga, Three, Sports Direct and Zomato all encountered data breaches that they didn’t initially disclose. It is likely that there are more organisations which have experienced breaches but have been reticent to disclose altogether for fear of the reputational risk. With an increase in breach disclosures likely from H2 2018 onwards, and the greater attention on it from social media as well as the mainstream media due to the GDPR introduction, we believe that reputational risk should become a key consideration for firms post implementation.
5. Having a defined communication strategy will be important.
If breaches are not managed properly from a communications points of view, it can expose the firm in the event of a breach. Imagine a scenario where hackers intentionally target a firm and make public the breach or where a disgruntled customer, having been informed about the breach by the firm, vents their anger on social media. The firm will have no choice but to confirm and handle the situation, making it vital that they have a clear communication strategy. Cases where firms have bungled their social media responses and suffered a public backlash are abound with American Airlines top of mind.
6. The GDPR introduction will likely lead to a wave of fraudulent data requests from imposters.
We think that in the early days after 25 May 2018, imposters will try to fraudulently request individuals’ data from firms. GDPR gives data subjects the right to do so, but without proper identity checks, this can easily be done fraudulently. This could then in turn constitute a breach and expose the firm and the data subject to further problems and disclosures. Firms should make sure they implement appropriate measures to avoid such a fate, including the ability to handle the volume of data requests in the required GDPR timeframes (within 1 month) while still performing ID checks to the required level.
At Sia Partners we are currently supporting over 20 firms across Europe with their GDPR programmes – helping understand the impacts and the change required and managing the programme to deliver compliant organisations.
We have a bespoke, GDPR compliance diagnostic methodology that can quickly identify the root causes of problems as well as a strong record of delivering the necessary interventions that might be required to close the GDPR gap.
We also help our client’s employees truly understand the issues related to data protection and what to do, so that they are ready for the challenges ahead post-May 2018.