GDPR – one year on

How has GDPR changed the security and compliance landscape? Over the following pages, you’ll find a range of views and opinions as to what’s changed, for better and worse! Here, we start with a GDPR Q and A with Mark Thompson, Global Privacy Lead, KPMG.

  • 4 years ago Posted in

Are businesses implementing the key requirements successfully and are there any key learnings to be applied?

 

Reportedly, regulators have received 64,000 data-breach notifications from across the EEA since the General Data Protection Regulation came into effect[1]. With hundreds of investigations currently in progress we are slowly starting to see substantial enforcement and fines as a result of non-GDPR compliance. This shows that organisations still have a long way to go in placing privacy needs at the top of their priorities and at the centre of their operations.

“We’ve seen organisations get burned for thinking GDPR is an umbrella term that captures all privacy regulations. In truth, GDPR is just one example of hundreds of privacy regulations operating globally. A lot of companies have implemented it and assumed they’re compliant as a result, but this is not the case as GDPR isn’t recognised in all overseas markets. Looking forward, businesses need to think differently, and more holistically, about privacy. 

“There’s also a need for more board level accountability when it comes to data management in businesses. Privacy was definitely high on the board level agenda last May, but it has since slipped down the priority list. It needs to be considered like any other critical asset and be consistently thought of as a priority at board level.”

 

·         What’s next for GDPR and what more can be done to protect consumer data?

 

In the digital economy, companies know more about their customers than ever before. Manufacturers, retailers and platform companies are already unlocking the value of data by configuring quicker, easier and more personalised experiences to win, retain and build trust with customers. Yet this value will not endure if companies fail to understand what consumers think about their data, how it is used and who they should trust to protect it. In this changing landscape, companies need to look beyond such concepts as permissions and consent and recognise that data privacy is far more than a compliance-led, box-ticking exercise. Data is an asset that, mishandled, can become a liability that damages your brand and destroys trust.

“In the next year, we anticipate organisations are going to go into ‘phase two’, where they’ll look to make privacy processes more efficient, operationally effective, leverage technology and truly provide the right foundations putting the customer firmly at the heart of how they approach privacy. If done right this will truly enable organisations to leverage personal information to deliver great products and services and create value and give them a competitive edge.

“This next step is to re-evaluate the dynamic of data as an asset vs data as a liability and to put in place the right resources, structure and budget, to support one of the organisations most valuable assets.

“This will become increasingly important in the coming months as regulators begin to levy more enforcement actions. We are also likely to see more emphasis being placed on more complex privacy issues, such as international transfers and data subject rights.”

 

·         What have been the key challenges faced by businesses when implementing GDPR?

 

“One of the most widely reported issue businesses are still facing with GDPR is understanding what data they have on record and how it is used. We recently worked with a client whose business operates across 5,000 systems. Establishing what data is stored amongst thousands of systems and how to achieve compliance can be a difficult task. We would not recommend carrying out a project of that scale manually, however we know that organisations have generally carried out their “Data inventory projects” in a manual way and these are fast becoming out of date and unusable.

“Another challenge for companies is how to manage numerous data interactions across their enterprise cycle. We are seeing data from a single consumer interaction move across many different organisations and getting a handle on those touch points and the different uses of data can be a complex task. We are also expecting the number of touch points to increase tenfold over the next four to five years. Digital advances have led to a significant transformation in how much data is used and how it gets passed down the value chain.

“In addition to this, companies also often find it challenging to understand what the consumer expects in terms of data protection and getting the balance right. Research shows that personalisation is a key factor in building customer trust - the more businesses can behave like the customers they serve, the more the trust grows. However, personalisation is generally only possible with a large amount of customer data, and the only way to obtain customer data is by building trust.

“A further key challenge is the ambiguity around how GDPR principles can be interpreted. The regulators have provided guidance, but organisations have had to consult lawyers and make a decision as to what they think the right position is. Some organisations are being very risk adverse while others are interpreting the requirements a lot more broadly. We will have more clarity on the regulatory ‘grey areas’ when we start seeing case law and enforcement actions being issued in the next few months.

“All these challenges have been underpinned by a significant lack of technology to support GDPR – privacy tech is limited in the marketplace and most of the available technology is being delivered by start-ups. There hasn’t yet been a solution or a group of solutions that can be easily bolted onto a business’ current technology infrastructure, which remains a challenge for companies looking to implement long-term change.”

Have there been costs associated to implementing data privacy? Have businesses had to upskill staff/recruit to implement this?

“If you look at global businesses, some have spent over a £100million on implementing GDPR, while others spent less than £1million. Looking at a company’s overall investment is interesting as it shows how much a business is taking the data asset vs data as a liability dynamic seriously and whether it’s genuinely looking to transform for the future.

“Data mapping is one of the most significant costs reported by businesses – this includes understanding where the data is kept and how it’s being used. As this is still often being done in a manual fashion, it also requires a lot of resource.

“Human capital resources, including hiring lawyers and contractors, has also been a common expense for companies. The review of large volumes of contracts, to make sure they contain the right clauses and are fit for purpose from a regulatory perspective, has been an additional source of expense.

“There has also been a high cost associated with hiring resource internally. In many businesses, privacy was traditionally dealt with by one person or a very small team, and it now often involves a wider team, with multi-disciplinary skills who operate in a small resource market place, which represents a big step change for companies in terms of cost. 

“It’s also worth noting that we’ve seen companies lose money by shoehorning privacy into business processes and customer interaction points inefficiently. For example, a customer can access a website and have to click through numerous cookie settings to access the information they want. This is an example of how some businesses have applied privacy processes but have impacted the customer journey in the process. This is costing businesses from a revenue perspective, and from a customer experience and trust perspective.”

 

By Barry O'Donnelll, Chief Operating Officer at TSG.
The cloud is the backbone of digital cybersecurity. By Walter Heck, CTO HeleCloud
By Milou Lammers, Director of Compliance, iland.
By Brett Beranek, Vice-President & General Manager, Security & Biometrics Line of Business at...
By Michael Queenan, co-founder and CEO of Nephos Technologies.
By Tawnya Lancaster, Lead Product Marketing Manager, AT&T Cybersecurity.
Why businesses need a bigger boat for tackling IaC security By Robert Haynes, SCA & Open Source...
Cybersecurity continues to be a major challenge for companies, with as many as four in ten...