GDPR is – or should be – a big issue for most organizations in the UK. More stringent privacy requirements combined with greatly increased fines (up to €20 million) mean that it should be carefully considered at Board level. But it frequently isn’t.
Research from Symantec late last year indicated that only 22% of European businesses regard compliance with GDPR as a priority, while over 90% have misgivings about their ability to comply.
Consumers need to know
That’s business. What about consumers? New research from Netskope, a cloud security company, has found that, with less than 18 months until the GDPR comes into effect, almost two thirds of British adults (63%) have never heard of it. But does that matter to the average man or woman on the street?
It should do. The GDPR increases our privacy rights as consumers substantially. We can expect it to be told more clearly about how are data will be used, and to be given more and clearer opportunities to withhold our consent.
In addition, it should be easier for us to access our data in a “portable” form so we can (if we want to) share it with other organisations; it should be easier for us to check what is being held and whether it is accurate and to demand corrections or even deletion (the so-called "right to be forgotten"); and it should be easier for us to object to direct marketing.
We also have a new right to claim compensation for “non-material” damage in the case of a breach. In other words, if personal data, rather than credit card data, is stolen, businesses can’t worm out of their responsibilities by saying that “no direct financial damage occurred as result of the breach”. Given the use that criminals can make of personal data this is a major rebalancing of justice towards the consumer.
Very useful rights. And so it is important that people know about them.
Employees also need to know
But does this ignorance of GDPR and its implications matter for business? It most certainly does. Businesses are made up of the people who work for them. And many of those people will have responsibilities that put them in regular contact with the personal data of consumers.
Obviously anyone working in IT and finance in an organisation that sells to consumers is likely to come into contact with consumer data on a regular basis. So will people who work in marketing, sales and logistics. That is quite a few employees. And if they have never heard of GDPR, or if they think the fines for non-compliance are negligible, they are less than likely to take compliance seriously. (Some 20% of Netskope’s survey respondents thought the fine would be under €1000 – underestimating the sum by a factor of 20,000 – which doesn’t augur well for these people trying to keep on the right side of this regulation.)
Unfortunately just three in ten British workers have been informed about the regulation by their employers, leaving plenty of workers open to making what could be very expensive mistakes.
The problem with clouds
Using cloud computing service providers to store data can cause particular problems for personal data storage. Where is it stored? (GDPR has rules about this). Where are the back-ups stored? (Ditto). And who can get access to it?
The problem is that the majority of cloud services still not GDPR ready: 66 per cent of all cloud services have been judged to fall short of the standards required under the GDPR, meaning that they lack the proper residency and security controls needed for compliance. This is a real major and enduring risk for any organisation that uses the cloud.
And most do. Whether they use formally procured services (contracted by procurement professionals who may well be in total ignorance of GDPR requirements). Or whether cloud services such as gmail and dropbox are accessed informally by individuals and teams of employees who are equally ignorant of the privacy requirements.
If these cloud services prove insecure (and according to Netskope, around 40% do not allow users to administer their own passwords) then it is only a matter of waiting to see when a breach happens, and when those most unpleasant GDPR fines are imposed!
GDPR is a significant for business and helpful for consumers. But far more education, by Government and by employers, is needed to ensure that people understand the rights to privacy that they have as well as the responsibilities they have to protect the privacy of others.