GDPR: competitive advantage through compliance
2018 has been the year of data scandals: following on from several years of personal data being exposed in high profile breaches, we have now entered an era of political scandals involving social media, governments, political parties and shady marketing outfits.
It is also going to be the year of privacy, because 25 May 2018 is D-Day for the EU’s general data protection regulation (GDPR).
As is well known by now, the penalties for not adhering to the GDPR depend on the nature of the breach, with the regulation allowing for fines of up to 4% of annual worldwide turnover or €20 million, whichever is higher. If fines are levied at this level any digitally dependent business — or any business undergoing digital transformation — will no longer be in business at all if it fails to protect customer confidentiality.
Understandably, a scramble to get complaint is now underway, with consultants, some good and some rather dubious, popping-up around the country to provide businesses with a path to data heaven. And yet, some figures estimate that as many as 60% of businesses will not be compliant come 25 May – and this despite the two year lead-in.
Between the maximum possible fines and they demands for data accessibility, the GDPR is doubtlessly a challenge for any business. But is that all it is? Ireland’s data protection commissioner Helen Dixon thinks not.
Speaking at the 2017 Data Summit, Dixon made waves by pointing out that rather than being seen as an onerous compliance issue, the GDPR could be viewed an as opportunity: an opportunity to reassure customers about privacy, and, in the process, drive new business – and even business models.
Speaking to TechPro, Dixon says that her comments are as true today as they were when she gave them.
“I think there were a number of reasons why I made that comment,” she said.
“The first is that, with the increase in storage capacity and processing power, organisations are bursting at the seams in terms of data that they’ve collected. It’s an opportunity to go back under the GDPR.”
Dixon points to Article 30 of the GDPR, which gives customers the right to become aware of what personal data the organisation holds, for what processing, what retention periods should be applied to it and how accessible it is, noting that this means anyone holding data needs to get their house in order. But that creates opportunities for growth, she says.
“The GDPR, aside from that becoming aware of documenting, requires organisations to perform a risk assessment, and that itself is an opportunity. Data subjects have very clear enumerated rights: rights to deletion, rights to transfer under certain circumstances, and rights to access data within 30 days.
“This will lead to greater trust in organisations and the absence of [the kind of] large scale data scandals that the media has been reporting in recent times,” she said.
There is also the chance to pull back from the idea that a scraping bonanza is the only way to make money online.
“I was also referencing that organisations who ‘monetise’ the data that they collect, it’s an opportunity for other organisations to differentiate themselves. People are becoming, particularly in recent weeks, very conscious and very nervous about the kind of data that organisations are collecting on them,” she said.
Big bad data
Indeed they are: the Cambridge Analytica scandal, exposed by French journalist Elise Bronsart on the Vox Pop investigative news programme last year, and compounded by further revelations in 2018 by The Observer’s Carol Cadwalladr, have made the general public more aware than ever that social media companies in particular are squeezing them for all they are worth.
Closer to home, there have been misgivings about the use of data in targeted online advertising in the run-up to the forthcoming referendum on the eight amendment.
And yet, mass drop-offs from social media have not, as yet, occurred.
Brian Honan of BH Consulting says the depth of feeling is not yet known.
“The big question marks is: does the consumer really care?” he said.
“The Cambridge Analytica and Facebook issue hit the press and so there is a growing awareness amongst people about how information can be used and how people can be manipulated. They will be paying more attention to it.
“That said, I don’t see a road to Damascus change in consumers on May 25, [but] if it creates more awareness then it’s a good thing,” he said.
Honan said there are already signs the landscape is shifting.
“What we are seeing is that privacy is being commodified by big tech companies. The problem with this is that privacy is a basic human right: it’s covered by the UN convention, and it’s [also] a right within the EU. We can’t have rights being commodified, and that’s the play of these big tech companies.”
Honan notes that some, such as Apple, pride themselves on not having data-centric business models.
Indeed, Apple chief executive Tim Cook recently described Facebook’s business model as “invasion of privacy”. Facebook boss Mark Zuckerberg, for his part, replied that Cook’s comments were “extremely glib”, but it is hard to imagine many people taking Zuckeberg’s side in the argument.
In the meantime, there has been renewed interest in privacy-centric services, even ones that have long been around. One search company, Duck Duck Go, has long presented itself as the anti-Google and the Mozilla browser is now being pitched as more private than alternatives.
On the business side, cloud providers are now marketing GDPR compliance, notably including not transferring data outside the EU.
Honan says that it would be a mistake to give too much credit to the likes of Apple, though.
“At the same time, Apple has given access to the Chinese government for the iCloud keys of every user in china,” he said.
GDPR and you
If this is the background to the GDPR – massive data intrusion by giant multinationals – then what does it mean for everyday Irish business?
Tom Hulton, corporate compliance manager at An Post, says that GDPR needs to be seen as “a major challenge.” Echoing Dixon, however, he says that the GDPR means there will be new opportunities.
“A lot of people view it as hygiene issue, but if you do it right you get trust from the public [and] you can use GDPR to demonstrate that you’re compliant,” he said.
An Post has a cultural advantage, he says, because as a government-owned business it is used to the public – and press – spotlight.
“Many companies are [just] getting used to public scrutiny. [When] we do bill payments, we don’t keep people’s names; its privacy by design.”
Hulton says that An Post’s compliance issues are not really about the mail, per se, as they do not keep addresses, and that in the case of a letter the sender is the data controller.
“We’ve an insurance company as well, plus there’s state savings, social welfare and TV licensing, [these] are all things at retails where we’re data processing.”
Compliance is under way, he says, and starting from a strong base as they are already regulated.
“We’ve been working on GDPR for a good while [but] there’s always room for improvement and there’s an ongoing job of work. The biggest issue for us is the scale and breadth of the service we offer,” he said.
But what about companies who are not yet complaint? Or not even close to it?
Eye of the storm
“If you’re just starting the journey, well now is the eye of the storm,” said Pat Larkin, chief executive of Ward Solutions.
A completely new mindset is required, Larkin says, one that does not see the GDPR as a kind of business prevention regime, but that does take privacy seriously.
“You have to look on personal data as potentially toxic,” he said.
One way of making this into a positive, he says, is to carefully work through the data you have already collected: purging the useless and outdated.
“The quality of your marketing database is much more important than its size,” he said.
“It is [also] a very significant opportunity to demonstrate to customers that you take [privacy] seriously,” said Larkin.
Again, recent events echo down from the social media giants to the smallest of businesses.
“That can only be a good thing in light of everything going on around Facebook and with the number of breaches and government snooping,” he said.
Dominic Cullis, chief executive of the GDPR Academy says that supply chain issues in particular add complexity and may result in a kind of ‘musical chairs’.
“Say I’m an organisation that is prepared and I used a supplier who hasn’t gone through due diligence: then I can’t continue to use that supplier. Had I been a supplier, then there’s an opportunity for me to win business,” he said.
“From the positive side, if you have gone through the process there is definitely an opportunity to use it in your market in gaining business. That’s one side; another is there are organisations with databases: one I know of had [a list of] prospects [composed] of 65,000 names and addresses. They now know that had a problem.
“They’ve [now] condensed it to 5,000 prospects. They are now feeling positive about it because those 5,000 have given permission, the data is clean and up to date ,and they’re not wasting time sending out information to people who weren’t interested. They will probably get more business from far less effort,” he said.
For Cullis, the lesson is clear: clean, compliant data is valuable data.
“Anybody who does go through it is going to have a leaner, better focussed business,” he said.
Paul C Dwyer, chief executive of Cyber Risk International and president of the International Cyber Threat Task Force, says that how businesses approach the GDPR will define how well they deal with it.
“GDPR is still really a baseline control. If you see it as an onerous task then that’s what it will be, but the clever people are investing in it,” he said.
Dwyer said he had in mind one company with a turnover of around €300 million: “They have a level of technical ability that is fine, but their risk management is like [that of] a start-up. They won’t recover from a breach,” he said.
“Those who do will survive and thrive.”
Dwyer makes the point that the GDPR is not only long overdue, but that it will, in all likelihood, become a moving target.
“Mark Zuckerberg was 12 or 13 years of age the last time [data protection law] was updated. It will be out of date within five years, with AI and so on, so it will keep happening,” he said.
As a result, privacy will itself become a business process, he says.
“On 25 May, 99.9% of companies will not be compliant,” he said.
For now, though Dwyer is sanguine, and warns falling for the bonanza being enjoyed by dubious GDPR compliance consultants – and the legal profession.
Fear and doubt
There is a lot of fear, uncertainty and doubt being circulated by vendors and suppliers in the cybersecurity and compliance space when discussing the perils of GDPR non-compliance, according to Shane Fuller, lead privacy advisor, MetaCompliance, and co-author of the official “GDPR for Dummies” guide. This is unfortunate, he says, as there are numerous business benefits and opportunities that can be leveraged by organisations by virtue of the requirement to be GDPR compliant.
“In working closely with organisations throughout their GDPR compliance journey, it has become evident very quickly that there are substantial operational efficiencies to be had. These efficiencies become quickly apparent once organisation start assessing their personal data processing activities and find that they have distributed business functions carrying out processes and procedures in vastly different ways for business processes which are essentially the same. Putting in place a common set of processes and procedures for these business processes results in not only reduced effort to remediate any GDPR related compliance gaps uncovered, but also significant ongoing operational cost savings,” said Fuller.
For those organisations willing to truly embrace the privacy entitlements of their customers and embed a supporting staff culture, there is a first mover advantage opportunity for them, Fuller argues.
“I believe there is little doubt that as more and more serious privacy breaches are exposed privacy will become a key decision criterion for customers. Companies who are at the forefront in terms of customer privacy as this societal change evolves stand to benefit greatly,” he said.
Dwyer is not prophesying doom: on 25 May Cyber Risk International is hosting a conference in Dublin with the provocative title ‘Cybergeddon’, looking at issues including the GDPR, but also Brexit, and other compliance factors.
“The NIS [network and information systems] directive is almost more important, and it comes into play on May 9,” he said.
It is not only individual businesses that can benefit from the GDPR, he says: given the combination of GDPR and Brexit, Dwyer says that Ireland should have positioned itself as the natural home for data in the EU.
“It’s a huge opportunity for Ireland. We should be lining-up as a compliant nation. ‘Ireland Inc.’ is asleep at the wheel. I do think we’ve missed a massive opportunity,” he said.
Hitherto Ireland’s reputation has been as a country where people play fast and loose with data, certainly at least in comparison to Germany and Austria. Thus, as the GDPR’s harmonisation of EU data protection law changes everything, Ireland could reposition itself as a centre for data in the EU for other, more positive, reasons.
“There’s an opportunity for Ireland as a whole to step up, as it has done in so many other areas,” said Kevin O’Dowd, business development manager at audio-visual, print and imaging distribution firm Square One.
“We’ve had a GDPR conference last week, and were over-subscribed. There was huge interest in it. I also think, however, that there’s an awful lot of ambiguity out there.
“Resellers of ours brought their customers along, including smaller guys, and they were happy to get the information. There’s plenty out there if people are looking for it and are interested in it. The ‘ah, it’ll be grand’ days, thankfully, are over,” he said.
Echoing Larkin, Cullis and Dwyer, O’Dowd said that, at a minimum, the GDPR was driving a rethink of what data means to organisations.
“We presented it as an opportunity to sanitise their databases. A lot of our partners are owner-operated businesses that are sales and marketing focussed so that that’s very important. There was one company that has been in business for 30 years and we found that 60% of the information they had hadn’t been accessed in the last five years.
“A lot are looking upon it as opportunity to do a database cleanse and use that look at why customers who used to spend money are no longer doing so,” he said.
“They’re also looking at what people are doing with documents and putting in processed around workflow. Square One and our vendor Fujitsu has already been dealing with GDPR-like legislation through a software partner in Germany,” he said.
For data protection commissioner Helen Dixon, the key thing organisations need to know is that compliance is an ongoing process.
“We’ve see attempts to characterise May 25, 2018 as Dec 31, 1999 all over again: [saying] ‘the GDPR is like the millennium bug, and [that] nothing much will happen. That’s completely wrong. We’re going to see individuals increasingly going to court. The other thing we’re going to see, over time, is peer pressure among industry sectors as they seek to negotiate and agree codes of conduct.
“I think there are going to be lots of drivers in delivering what GDPR is long overdue in demanding,” she said.