One year on, what has been the impact of GDPR?
We ask the experts
The story so far
Julia Seary, partner at Roythornes Solicitors, looks at what we’ve learnt in the first 12 months of GDPR
This time last year, GDPR was the hot topic of conversation as its introduction promised to impact nearly every organisation across Europe.
The regulation was introduced to strengthen personal data privacy laws in light of technological advancements and to put all European organisations on an equal footing in terms of compliance requirements. In a heavily data-driven world, GDPR was an attempt to update the law in response to the volume, variety and speed of personal data production and its global circulation.
Now that the dust has settled, we can begin to look at how the regulation is working in practice.
Overall, it appears that significant enforcement activity is minimal, but that’s not to say investigations aren’t taking place behind the scenes. There have been more than 50,000 data breach notifications across Europe since GDPR came into force and, here in the UK, the Information Commissioner’s Office (ICO) has received more than 8,000 notifications of data breaches since the end of May 2018.
The largest GDPR fine issued to date has been the €50 million against Google by the French data privacy regulator for lack of transparency, inadequate information and lack of valid consent in relation to its use of personal data for the purposes of personalising advertisements.
Remember that a maximum fine of up to €20 million or 4% of annual worldwide turnover – whichever is greater – can be imposed on businesses that do not conform with the updated regulation.
The use of data subject rights is becoming another business issue; GDPR grants individuals more extensive rights regarding their personal data which has generated a culture of individuals making repeated and extensive subject access requests (e.g. requesting emails going back many years), often simply to cause annoyance, waste time and incur costs for the data controller.
Immediately after 25 May 2018, there was a surge in erasure requests as individuals sought to clean up their online privacy and security. This seems to have slowed down in recent months, perhaps due to the realisation that the right to request erasure is subject to business requirements, rather than an absolute right to have all information deleted.
Finally, the last emerging data protection trend and a potentially concerning development is the increase in class action-style litigation and so-called ‘data protection ambulance chasers’. Some claimant law firms are attempting to generate business off the back of data breaches – even if the breach gives rise to little risk of damage.
In order to avoid business impact and interruption, our advice continues to be for organisations to review and update data privacy documents; implement GDPR training; and assess all data flow and transfers. We also recommend reviewing contracts with third parties and putting a process in place to deal with DSARs, other requests and potential breach scenarios.
Mark Thompson, Global Privacy Lead at KPMG, looks at how enterprises’ approach to GDPR is likely to evolve over the next 12 months
Over the next year, we anticipate that organisations are going to go into ‘phase two’, where they’ll look to make privacy processes more efficient and operationally effective and leverage technology to put the customer at the heart of how they approach privacy. If done right, this will enable organisations to leverage personal information to deliver great products and services, create value and gain a competitive edge.
In the meantime, there are still many challenges. Companies often find it hard to understand what the consumer expects in terms of data protection and to get the balance right. A further challenge is the ambiguity around how GDPR principles are interpreted. Some organisations are very risk adverse, while others interpret the requirements a lot more broadly. We will have more clarity on the regulatory ‘grey areas’ when we start seeing case law and enforcement actions being issued in the next few months.
In addition, there is a significant lack of technology to support GDPR – privacy tech is limited in the marketplace and most of the available technology is being delivered by startups. There hasn’t yet been a solution, or a group of solutions, that can be easily bolted onto an existing technology infrastructure. This remains a challenge for companies looking to implement long-term change.
GDPR and software governance
Ilkka Turunen, Global Director Solutions Architecture at software governance and automation experts Sonatype, considers the impact of GDPR on software design
There has been a marked increase in dedicated software security programmes to comply with GDPR’s ‘security by design’ clause. This may have been driven by fear of early sanctioning, but any programme that makes software engineering more secure can only be a good thing.
Alongside this, we are now seeing software security being discussed at board-level, whereas before it was treated as an exercise in compliance. Security is no longer seen as a ‘nice to have’, but a business-critical asset.
GDPR has spurred legislators into action elsewhere. Across the US, France and the UK, we’ve seen 19 government bodies calling for better software governance. Recent knock-on effects include IoT software supply chain legislation in France and proposals to regulate IoT device security. This demonstrates a remarkable shift in outlook towards device and software security.
GDPR and CRM
Piergiorgio Vittori, Global Development Director at Spitch, a leader in AI-fuelled spoken language technology, points out the need to secure voice-driven communications
Since GDPR came into effect, businesses have had to change processes to ensure their compliance with new regulations. Yet, voicedriven customer services remain an ‘elephant in the room’ for many businesses, exposing them to business risks.
Whenever a customer calls a business, large quantities of personal data are collected. We willingly share credit card details in order to secure a restaurant booking. We discuss our health to reschedule a doctor’s appointment. We still provide responses to Know Your Customer (KYC) questions to prove our identity before accessing telephone banking. However, we don’t know how this information is being stored and used. Under GDPR, consumers have the right to know and businesses are responsible for ensuring that all personal customer information is protected.
This is where voice intelligence technology comes in. Powered by AI, it allows sensitive information, such as credit card details, to be collected securely and instantly verified outside of the main agent-customer conversation. Voice-to-text solutions, for example, can immediately take a phone call and convert it into an easily searchable digital form, with personal customer information blacked out via a process of data redaction, giving businesses an extra layer of protection in case of any hacks or data leaks. Perhaps, most importantly, speech analytics can be used to demonstrate compliance with GDPR, a crucial aspect of the regulation.
Demand for voice-led customer service is only going to grow. If UK businesses want to remain GDPR compliant, while enabling growth and improving customer experience, they must focus on securing their voice driven communications.
GDPR and data hygiene
Rainer Rehm, Data Privacy Officer EMEA at security as a service company Zscaler, looks at the impact of GDPR on data hygiene
In GDPR’s first year, the regulation has introduced greater data hygiene into enterprises. Organisations have been forced to take a more proactive approach to protecting and managing the data of European citizens. In order to do this, they have had to ensure they have insight into the various data pools, often kept in different departments, and identify whether permission to use personally identifiable information (PII) has been obtained.
In many cases companies have overreacted and deleted entire data pools that did not meet the requirement of double opt-in consent, often due to a lack of understanding of how to treat the data pools correctly. Huge waves of last-minute consent collection initiatives were started to gain contacts’ permissions. In many cases, these did not have the desired effect and led to databases being reduced considerably.
Companies have had to put in place technology that helps them control and protect digital assets and reconcile the disjointed conversations between departments to produce the shared insight necessary to update an organisation’s security posture. Processes are now in place to manage the data more effectively, as companies have gained a better understanding of where they store PII and who has access to this – necessary to be able to comply with reporting requirements in case of data loss. Staff have gained a better level of understanding about the protection goals and measurements and we can expect future data collection to be based on the privacy by design concept. Implemented processes build the foundation to be able to report data losses.
While GDPR has introduced greater data hygiene, it has also increased bureaucracy. A host of templates and forms have emerged to keep track of processes and prove compliance for the whole data management/ processing supply chain. So far, there is no standardisation in place to simplify these processes with unified templates, but pending certification processes based on article 42 of GDPR will introduce a voluntary process to assist in demonstrating compliance.