For anyone doing business with clients in the UK, the General Data Protection Regulation (GDPR) seems to be a looming minefield where companies have to jump through hoops just to be compliant.
And yet, it is a reality that the industry needs to come to terms with. No one can escape this juggernaut.
What will the implications of the GDPR be? I recently read an article on enterpriseinnovation.net which discussed it in all its complicated glory.
The day of doom?
The article points out that on 25 May 2018, the GDPR comes into effect in the EU and around the world, regulating how businesses should handle personal data. The regulation will affect businesses of all sizes including those in Asia, due to their extra-territorial reach.
Probably the world’s most expansive data privacy law, the article adds that the GDPR requires any business that processes the personal data of European residents to comply with the new law.
There are no exceptions for businesses worldwide who sell products or offer services to the European market. Non-compliance can result in fines up to €20 million or 4% of annual worldwide turnover, whichever is higher.
The article points out that despite the deadline drawing closer, global research from Veritas revealed that there is little trust consumers have in businesses to safeguard their personal data. With more and more companies suffering data breaches and hackers seemingly one step ahead, almost 38% of consumers believe most businesses do not know how to protect their consumer data.
Veritas’ research showed that consumers vow to take bold steps in penalizing companies that don’t safeguard their data, while rewarding those that do:
- 62% of consumers would stop buying from a business that fails to protect their data;
- 48% of respondents say they would abandon their loyalty to a particular brand and consider turning to a competitor;
- 81% would tell their friends and family to boycott the organization; and
- 74% claim they would even go so far as to report the business to regulators.
The article adds that in Veritas’ study, more than half of the organizations (56%) in Singapore are concerned that they will not be able to meet GDPR requirements. Given the long arm of GDPR with its extraterritorial scope, internationally based UK business partners may be more exposed than they think.
According to the third biennial EY Global Forensic Data Analytics Survey by Ernst & Young (EY), only 12% of firms in Asia Pacific – and 10% of Singapore companies – have a GDPR compliance plan in place, far below the global average of 33%.
Who’s in charge?
The article points out that the impending implementation deadline raises the question: who really controls your data?
“With data being used widely from personalized advertising to loyalty reward programs by retailers for consumers, businesses will need to rethink the way they manage and protect personal data in order to comply with the GDPR,” said Robin Schmitt, general manager for APAC at Neustar, who spoke to enterpriseinnovation.net.
The enterpriseinnovation.net article added that many consumers are closely scrutinizing businesses and holding them accountable for the protection of their personal data. If not, organizations could potentially lose 59% of consumers wanting to spend more with a company whom they trust to look after their data, said Veritas.
“According to the latest 2018 Veritas Data Privacy Consumer Study, consumers are demanding more transparency and accountability from businesses,” observed Sheena Chin, country director for Veritas Singapore who also spoke to enterpriseinnovation.net.
“The research reveals that consumers have little trust in organizations to safeguard their personal data, with almost two in five (38% of respondents globally) believing most businesses don’t know how to protect their personal data. This comes as no surprise as trust in businesses have been diminished by the recent data breaches where companies have shown a lack of understanding of how the personal data collected have been used or shared.”
While the reality is that most companies will not be fully compliant by 25 May, we should still start taking steps in the right direction today, business software company Sage advised.
Change old habits
The article points out that Sage warns that even things we do every day without a second thought will be affected by the GDPR. With the regulation’s complexity, organizations need to be more careful about handling data in various contexts.
According to Sage, some examples of activities we should reconsider, as these simple tasks may lead to difficult outcomes, include:
Sending office greeting cards
The article added that businesses that send greeting cards, such as Christmas cards, to customers in Europe should hold their horses.
If you do not have express consent to contact each customer, mailing to home addresses – considered personal data – may not be legitimate under the GDPR. E-cards will have to suffice.
Forwarding a candidate’s resume for a second opinion
The article points out that Candidates’ resumes are considered personal data, and thus protected under the GDPR.
The enterpriseinnovation.net article adds that instead of forwarding them as is, anonymise them by removing names, addresses, phone numbers and any other personally identifiable information. This is also becoming a growing trend among businesses as a part of an approach to remove gender and race bias in recruitment.
Asking users to tick the box to join a mailing list
The article asked whether companies registration forms on their website have pre-ticked boxes for customers to receive marketing information?
You might want to rethink that. Under the GDPR, silence and inactivity will no longer suffice as consent. Privacy policies should also be revised, because businesses’ requests for consent to use personal information must be intelligible and in clear, plain language.
Aside from day-to-day activities, the GDPR also makes it a business imperative for all organizations to demonstrate compliance with its data processing principles.
The article adds that, additionally, data breach management under the GDPR now makes disclosure the top priority. Personal data that is accidentally or unlawfully lost, destroyed, altered or damaged, must be reported to regulatory authorities within three days. All individuals impacted must also be informed if the breach is high risk and likely to lead to financial loss, identity theft or fraud.
Simple steps to take
“While this will be a limiting factor in the use of consumer data, having a bulletproof cybersecurity strategy creates a prime opportunity for businesses to build better customer relationships, streamline IT and improve data management,” Schmitt told enterprise innovation.net.
He added that, for a start, businesses need to ensure that all sensitive data is stored responsibly and securely in inventories that are regularly reviewed and updated.
A crucial yet often overlooked point, he believes, is having the visibility of where multiple backup copies reside, to avoid being rendered as non-compliant when customer data is required to be erased.
“A Data Protection Officer (DPO) should also be appointed to articulate the lawful basis for any personal data processing, identify and mitigate associated privacy risks to ensure alignment with GDPR requirements,” said Schmitt. “This can be outsourced depending on the business’s IT requirements. Lastly, existing privacy and security training needs to be enhanced to address GDPR-specific pain points. That along with robust technologies that safeguard critical information infrastructures, should be conducted in tandem to detect and alleviate the impact of breaches when they occur.”
Better late than never
“Bad news makes good headlines and it is better late than never to be concerned with GDPR,” Chin told enterpriseinnovation.net, “penalties aside, there are benefits in achieving GDPR compliance, as consumers also intend to reward companies that are properly protecting their data, with three in five respondents saying that they would spend more money with organizations they trust to look after their data.”
The article added that, to build a stronger trust with their consumers, businesses need to demonstrate that they are trusted custodians of data.
“This means that businesses should have the right data management capabilities in place – so that they know what data they hold, where data is being held, who has access to it, and how to take action to safeguard the data. At the organizational level, businesses can drive behavioral changes through rewards, penalties and contracts to help employees comply with data privacy regulations, be it GDPR or PDPA in Singapore. Improving data hygiene will help to drive trust and strengthen the businesses’ brand reputation or relationships with their consumers,” Chin told enterpriseinnovation.net.
The article adds that the GDPR has long arms and will surely affect businesses in Asia, one way or another. With its stiff penalties, it’s easy to feel paralyzed by the GDPR’s heavy impact.
But rather than fearing the regulation, businesses should take the GDPR as an opportunity to demonstrate a commitment to customers’ data privacy.
“This is not to say that GDPR compliance is a grim tale – but it does require a thoughtful review and refinement of data policies to ensure compliance of the stronger data protection framework in an increasingly global conversation,” Schmitt told enterpriseinnovation.net.
Lamenting over the immensity of the task that lies ahead will not make the task easier. It is time for use to hold our tongues and make sure that we are compliant.