One year-on: Surprising benefits from GDPR
Sarah Armstrong Smith, Head of Continuity & Resilience at Fujitsu, examines the benefits businesses have seen from GDPR this year.
Earlier this month, GDPR helped Prince Harry win a legal battle with the paparazzi for infringing on his privacy. The EU data protection law might still be in its infancy, but it has already left a mark on how organisations across the public and private sector conduct business, as proved by this legal case.
Since last May, many organisations have undergone a “spring clean” to remove data for which they don’t have a legitimate and lawful reason for holding, and are rethinking their approach to how and why they collect and process personal data. These measures are aimed at improving the protection of individual rights and clarified what companies must do to safeguard these rights. But 12 months on, I have noticed a couple of surprising benefits from GDPR – benefits that are now making an impact on the business/consumer relationship.
Good isn’t good enough anymore
The first thing I have noticed is an increase in improved data governance. Historically, some businesses may have taken a ’’tick-box’ approach to governance and compliance, however organisations are now regarding this as a key business enabler.
Just having good data governance isn’t good enough anymore, organisations are starting to really think about how and why they collect data. Hoarding data for no legitimate reason raises a big question mark, which is a shift in perception and we’re seeing more organisations taking decisive action.
Compared to five or six years ago, I’ve seen a real change in how companies use data: before, businesses were gathering all the data available with a view to how they could improve their business model by tracking and profiling customers to leverage this information, in the form of data analytics. Whilst they weren’t necessarily intending to mislead consumers, they were often using data for the wrong reasons and for financial gain. One year after GDPR came into force, businesses are considering the legitimacy of data holdings and taking steps to process this in a lawful way. It’s by no means perfect, but it’s positive to see that organisations are making a concerted effort to improve their data governance.
Fail to prepare, prepare to fail
Another aspect I have witnessed is an accentuated emphasis on the protection of data where only authorised and authenticated people have access to the data. This plays a pivotal role in preparing for and limiting the probability of cyber-attacks and data breaches.
By implementing additional layers of protection, companies are taking a step forward to achieving cyber resilience. Whilst the risk of human error is always going to be prevalent, restricting access to data to only those people within a company who need
it will greatly reduce risks of accidentally exposing personal data.
Many companies still have challenges with regards the volume of unstructured and obsolete data – data that is potentially held in spreadsheets, laptops and various document repositories. By effectively locating, optimising and managing data, companies can also reduce storage and infrastructure costs, Data can also be further protected by locking down systems, implementing access controls and monitoring if a user is trying to circumvent a policy either accidentally or deliberately, thereby taking real strides in enabling data loss prevention.
Better safe than sorry
The question many of you might ask is: If more companies are now better prepared for cyber attacks, why have we seen an increase in breach notifications being reported to regulators in the last year?
With data breaches being in the media almost daily and cyber threats becoming a top risk for business leaders and C-suite executives, there has been an increase in reported breaches this year. Just this week the European Data Protection Board reported that over 144,000 queries and complaints and over 89,000 data breaches have been logged by the EEA Supervisory Authorities. 37% of which are ongoing
In the first 3 months that the GDPR came into the force, the UK Information Commissioner’s Office (ICO) revealed that they received 500 reports per week.
But these numbers may look worse than they are, because data controllers have 72 hours after becoming aware of a breach to report it. The impact of a breach may also be reduced as in most cases, organisations are reacting and containing breaches much quicker. Equally, because many companies are becoming more savvy about cyber security, thereby reducing the cost of remediation.
In GDPR we trust
To this day, the most positive outcome from the implementation of GDPR is increased protection of individual rights and enabling trust. Just as mistrust and the misuse of data brought GDPR to the forefront, it’s implementation and the process that every organisation went through leading up to May 2018, helped to create a relationship of trust between consumers, businesses and regulators.
Having this transparency and understanding how data is being used and even how algorithms are applied, has not only improved security, but also brought to the forefront questions around morality and ethics.
From a business perspective, firms need to provide proof they are doing the right thing – not just say they are. Trust is something very hard to gain and very easy to lose. This is prompting organisations to start from a place of trust and stay here, and that’s why the GDPR has had such a positive impact, and delivered surprising benefits.