With GDPR so close to its D Day of May 25 there are companies all over Europe stressing about the potential fines for non-compliance and being taken in by the scare stories of what will happen if they suffer a data breach in future. But there is growing evidence in the UK that businesses may be focusing on entirely the wrong issue.
The new fines which will apply once GDPR is adopted have been well publicised – and that’s not surprising given that they could be as much as 4 per cent of global turnover or 20m Euros, whichever is the greater.
The sheer size of those figures has been manna from heaven for press and media leading to some frightening headlines – and to senior management at businesses across all sectors feeling understandably nervous.
Rather than dwelling on the financial impact, however, businesses should be thinking about something far more valuable: their reputation.
We are entering a new data era in which the public will have far greater expectations over the way their personal data is handled – and enjoy far more rights to ask for it to be edited, deleted or ported.
With those rights comes a greater awareness and greater interest, too, in what happens to personal data when it is given to a business, how it is looked after and how it is protected.
It means that in future customers will only give their data to businesses which they trust to look after it, companies whose reputations are intact and who are not beset by problems with data breaches.
When you start to think of it that way then the fines are the least of a company’s problems – their entire reputation, and therefore their entire business, may depend on the quality of their information management and data protection.
Crown Records Management has just commissioned a survey of the UK public’s views on GDPR and some of the most insightful results came when we asked about how data subjects viewed a company's reputation after a data breach.
Many believed that a company’s reputation could be damaged for up to two years by a breach and huge numbers said that not only would they stop providing data to those companies but they would also withdraw their custom.
This comes at a time, of course, when data breaches are big news. There were some high profile cases last year – at huge companies such as Wonga, Three and Uber – and it looks like the damage those kind of breaches do in future could be magnified by GDPR.
Certainly the survey, of more than 2,000 UK citizens, revealed that attitudes towards data breaches are hardening – with customers refusing to put up with it.
The top results included:
78 per cent said they would either definitely or probably withdraw their custom from a company which suffered a data breach.
Those aged 25-34 were most certain – 35 per cent said they would definitely withdraw their custom and 45 per cent said ‘probably’.
48 per cent of directors said they would definitely withdraw their custom.
When it comes to reputation, the scenario is just as concerning for UK business, if not more so.
When given a range of between ‘less than a day’ to ‘more than two years’ to choose from, the public was clear that a company’s reputation could be damaged long term.
The results included:
A third, 33 per cent, said a company’s reputation could be damaged by up to two years
Older people were even more certain – 39 per cent of over 55s believed a company’s reputation could be damaged by up to two years
Those working in manufacturing and utilities were certain too – 44 per cent said up to two years – the highest across any profession
Only 13 per cent said a company’s reputation would not be damaged by a breach.
So, while all the talk in the build up to GDPR has focused on the huge fines, and of course they are significant, these results suggest avoiding data breaches is just as much about protecting reputation and maintaining public confidence.
So, what is the next step?
Well, rather than seeing the negatives from these results – and panicking about financial punishment - businesses should be thinking that there are big opportunities out there for companies which look after data in the right way and have the right information management and data protection processes in place.
Those who prepare well for GDPR and embrace its principles could be at an advantage in a market which is changing rapidly.
Increasingly we are in a world where the public will choose who to give their data to, and who to give their custom to, based on how much they trust the business to look after that data. These survey results just show how important it is to get it right.
Paul McCormack, Legal Counsel at HSBC, shows how businesses across Europe already deal with stringent data privacy rules. Inevitably, organisations that provide the services of Data Protection Officers (DPO) will appear …