Peter JohnsonCyber Leader for Marsh UK
Peter Johnson is the Cyber leader for Marsh UK.
The challenges faced by organizations as a result of the European Union General Data Protection Regulation (GDPR) are substantial. While many of the headlines to date have focused on the potentially sizeable penalties and compliance issues, little attention has been given to the opportunities the GDPR presents for proactive organizations. Key among those are enhancing their data security capabilities, developing a deeper relationship with customers and growing their business.
The GDPR, which represents the most significant change to data protection law in Europe in 20 years, is scheduled to take effect on May 25, 2018. New data protection legislation is certainly overdue. European Directive 95/46/EC, from which the current Data Protection Act 1998 (DPA) derives and which the GDPR replaces, preceded both the internet boom and the birth of social media.
Nowadays, we hear near-daily announcements of new ways that technologies are changing lives and business strategies. Along with that comes numerous cyber attacks aimed at disrupting business and stealing private information or holding it for ransom. It’s no surprise, then, that a recent survey from software firm SAS found that 62 percent of United Kingdom respondents welcomed the GDPR provision for the right to erase personal data from certain systems, or that about half of Americans feel their data is less secure than it was five years ago, according to the Pew Research Center.
Data privacy and the right of individuals to choose and control how their data is used and accessed have not kept pace with technological advancements and the digital economy. Along with a loss in consumer trust regarding organizations’ use of personal data, an impact can be seen on profitability as the number of consumers using ad-blocking software continues to increase.
Some organizations will consider compliance with the GDPR a costly and disruptive undertaking. On the other hand, forward-thinking organizations will see it in a different light. They will embrace the challenge to develop their technology and their information management and cybersecurity systems. For too long, many organizations have captured swathes of data without proper protocols surrounding its processing, storage and sharing. Many have lacked an understanding of data’s relevance and value to their business, or of consumer preferences on how it is used.
The GDPR and its requirements should help to reduce the staggering cost of cybercrime to the global economy, where estimates range from hundreds of billions to trillions of dollars. Organizations that embrace the GDPR are likely to take steps that enhance cybersecurity and therefore reduce the potential for data loss, operational disruption, physical damage and reputational and brand damage.
Organizations’ levels of understanding around cyber risk continue to increase, due in part to continued high-profile cyber incidents, including the recent WannaCry and Petya ransomware attacks. There is still a long way to go for many in order to map and quantify their cyber exposure and establish the cultural change required throughout their organizations.
Under the GDPR, some organizations will face an additional requirement to appoint a Data Protection Officer (DPO) whose role will be to independently supervise compliance with the GDPR and advise staff who deal with personal data. It is hoped that the requirement that DPOs report into the highest management level of their companies will help promote a cyber-risk culture and may even improve board-level ownership of cyber risk within these organizations.
The GDPR can repair the breakdown in trust between consumers and organizations in terms of personal data security.
The GDPR aims to provide EU citizens with greater control over the use of their personal data. Some organizations, no doubt, worry about how that will manifest and the potential for consumers to deny them access. As pointed out in a recent study by Lippincott, consumers are increasingly willing to give that consent to companies they trust and with which they want to develop a meaningful relationship.
The customer of the future “expects everything to be precisely tailored to her, especially with all of the data she gives up,” Lippincott notes, adding: “Be transparent. … [The consumer’s] trust goes to crowd-verified, fully transparent products and processes, so open up your customer experience for full accountability. Ground your trust in transparency, not authority.”
Central to this transparency is consent, and there are challenges: The threshold for consent under the GDPR is higher than under existing legislation. To meet the new requirements, consent needs to be freely given, specific, informed and unambiguous.
Businesses must be able to demonstrate these elements when relying on consent for processing. Special categories of personal data, such as health information, will require explicit consent. When an organization relies on consent to process an individual’s personal data, the individual will have the right to withdraw that consent at any time.
They will also have the right to obtain and port their personal data for their own purposes across different service providers (“data portability”), as well as an enhanced right of erasure (the “right to be forgotten”), should they wish to do so.
Consent must be a positive indication of agreement that personal data can be used in the specific manner and for the specific purposes set out by the controller. A pre-ticked box will not be valid consent. Consent requires engagement, and engagement enables businesses to better understand the needs and desires of their customers and develop a relationship based on trust and transparency.
Overall, the GDPR will provide an impetus to improve data security and controls around the use of personal information. In turn, it presents an opportunity for organizations to better understand their data and how it may be used to add value to their business. Most importantly, it is hoped that the actions required of organizations to comply with GDPR will go a long way toward helping to repair the recent breakdown in trust between consumers and organizations in terms of how personal data is used.
This can only be done if companies move away from viewing the GDPR as a compliance-driven tick-box exercise and embrace it as an opportunity, a means to improve data management strategies in such a way that drives their business forward.