One year on: Three common misconceptions UK businesses still have about the GDPR
Jean-Michel Franco, Senior Director of Data Governance Products at Talend, examines the top misconceptions UK businesses still have about GDPR.
25th of May marked the one-year anniversary of the European Union’s (EU) General Data Protection Regulation (GDPR) coming into full effect.
This milestone serves as a timely reminder for UK businesses on the implications of failing to protect data and the procedures needed to prevent this from happening.
Here are the three common misconceptions that UK businesses – big and small – still have about the GDPR:
1) Data Subject Access Rights is many companies’ Achilles’ heel
With GDPR violations now attracting large fines, you might think UK businesses would be bending over backwards to ensure compliance, but this isn’t always the case.
Most businesses have improved accountability by appointing a Data Protection Officer. They have devised (or refreshed) a legal framework for data privacy, improved their lines of defence against data breaches and even managed identity and access more rigorously. And yet, our recent research reveals that mistakes are still being made under the GDPR: 74% of UK organisations are failing to respond to consumers’ personal data requests within the required one-month time period.
The fact is, despite what the media headlines might suggest, Data Subject Access Rights is not just the Achilles’ heel of tech companies like Google. Our research also revealed that, of those asked, a mere 17% of UK organisations were compliant with Data Subject Access Rights, with the final 9% of UK organisations split between delayed or incomplete responses.
Despite it being very easy for consumers to request their data now, most businesses still struggle to provide it within the time demanded of them. One thing is certain: if regulators put a focus on enforcing breaches in this area, then many more companies could be held accountable over the next twelve months for failing on Data Subject Access Rights.
2) Data privacy or protection is not the same as cybersecurity
When most UK businesses hear the phrase ‘data privacy’ or ‘data protection’ they immediately think ‘cybersecurity threat’. This is a broad misconception. Rather than putting the correct processes and IT systems in place to respond to data privacy issues like data access requests, they look at building stricter security systems.
Evidenced by the Google fine together with the class action on streaming services, organisations must begin to realise that cybersecurity is only one aspect of GDPR compliance. In fact, the biggest fine to date has been imposed for a violation of data consent, while the largest class actions currently being heard by regulators are focusing on data subject access requests. Instead, the GDPR has presented organisations with an opportunity to re-think the current relationship between business processes, data transparency and customer privacy needs.
3) The GDPR is more than a legal requirement between customer and business
Over the past twelve months, UK businesses have been busy asking themselves if they comply with the GDPR. However, when faced with this question, most have taken a defensive approach, considering only legal and security implications on the business. Herein lies another misconception – the view that the GDPR is nothing more than an issue of legality.
The GDPR is a contract between the organisation and its customers, detailing how the business plans to store, process and protect customers’ personal data. For every contract, there is a legal dimension, but the scope is much broader than that of the GDPR. It is also about building better customer relationships and experiences through trust. This is a vital distinction because trust is a pivotal commodity for businesses today. If you do not have a contract that your customers like or trust, customers will begin to withhold their data or abandon companies altogether.
GDPR breaches and the publicity they have attracted have done a lot to damage consumer trust in recent months. The organisations which succeed will be those which are willing to put consumer privacy concerns at the heart of the business and to prioritise the customer experience – for example, establishing privacy portals where their customers can access their data and give their consent for the personalised services they find valuable.
Going beyond 2019, with the European future of the UK still uncertain, and as we experience an explosion in data volumes, ensuring businesses take control of data is fundamental to their success. As autonomous decisions enter the mainstream powered by AI and machine learning, there will be an ever-increasing focus on enterprise accountability.
Regulation is always a minimum standard, so companies must aim to comply and then go beyond the GDPR. With all data, organisations should act as stewards to make sure data is used, stored and shared in a way that does not lead to the misuse of data by unauthorised third parties, and in doing so they will win more trust in their own data – and from their customers.