Ensighten: Where are businesses one year after GDPR?
Last May, businesses across Europe were scrambling to join the seemingly elite club of GDPR compliant organisations. They had their work cut out, rushing to organise data collection policies as well as categorising and digitally filing years worth of customer data into compliant and secure structures. Businesses’ operations hadn’t been so drastically shaken up since the Data Privacy Act 1998.
The big difference now is that businesses and consumers are much more aware of the value of data and how to extrapolate it for optimal gain. The transition caused by GDPR in 2018 has meant that businesses have to think about their data handling from the ground up. In the past year, we have seen this new motive take control.
There have been plenty of trials and tribulations since the European Union law regulation came into effect. What have businesses learnt? How did they tick the compliance box for data collection and processing? How have the data protection authorities such as the Information Commissioner's Office acted to punish and deter malpractice? Lastly, what can we expect in the year ahead?
Many businesses have taken action
In Q2 of 2018/19, the ICO reported “disclosure of data” was the most reported data security incident for the majority of sectors totalling 4,056 incidents. Big business fines hit the headlines soon after GDPR came into effect. For example, BUPA Insurance Services was fined £175,000 for “failing to have effective security measures in place to protect customers’ personal information”.
One of the biggest fines of the year went to Facebook at $1.6bn for breaching the data of nearly 50 million users. But, it’s not just about the financial implications - consumer trust is suffering too. The Global Consumer Pulse report by Accenture Strategy discovered that lack in consumer trust is costing global brands $2.5trn per year - suggesting this is the real catalyst for businesses taking action.
Brands and the wider advertising industry banded together to address GDPR. The World Federation of Advertisers drafted a manifesto, displaying a united front to make a difference to consumer data experiences. Apple, WhatsApp and Facebook made moves to clean up their act with more transparent and coherent privacy communications.
Accountability is key for businesses to progress
Organisations have made efforts to develop a more robust approach to data privacy and put the importance of data privacy, and understanding, at the heart of their employee’s delivery. They are led to understand how data is used within the company. Everyone is accountable for how the organisation collects, processes and distributes personal information. This means expelling any taboos about data compilation and how it is handled, its secrecy and in some cases, malpractice.
Businesses are clearly taking action and becoming more accountable for their data practices and are communicating more clearly. For example, Apple introduced a tracking prevention system for Safari called Intelligent Tracking Prevention 2 in September 2018. ITP 2.0 blocks all tracking cookies unless they use a subdomain of the site’s primary domain. They also implemented a new consent system for cookie tracking, establishing that control and transparency are key components in nourishing good customer trust. This leadership, from a significant tech company, laid down a clear statement to other organisations.
Going forward, businesses must be more focused on being transparent as well as secure for their customers - starting with their websites. Otherwise, they risk losing customers’ trust and loyalty.
Data governance is a driving force
Implementing a more precise and transparent data governance approach has become critical in light of GDPR. Staying on the right side of the law and maintaining customer trust is critical. While compliance and data privacy continue to be top priorities, data governance is the method that ensures and regulates their importance and impetus. Especially now businesses have governance frameworks that go further than simply compliance. Websites that collect and process data must comply or risk losing the customer bases they’ve built.
Governance frameworks are helping businesses to implement new processes in a manner that ensures they can be upheld. It is enabling organisations to deeper examine their security and privacy protocol - ultimately improving their practices and making sure all their stakeholders better understand them. As more and more companies implement improved frameworks, customers’ data should become even more secure and at the very least, better understood, by arguably their most important audience.
So, in many ways, one could argue GDPR has been effective although troublesome for business. The rest of the world seems to think so and is watching closely after the Cambridge Analytica scandal. In the US, California, which has often led the way on innovative privacy regulation, the California Consumer Privacy Act (CCPA) passed in June 2018. It was conceived and born in record time - two days and will come into effect on January 1st 2020.
Whilst many things have changed over the past year and the data privacy landscape has improved as a result of GDPR, businesses are still at risk of exposing customer data.
In order for businesses to take the next step, more focus must be placed on protecting customers to prevent negative long-term implications that stretch beyond ICO fines and GDPR. In its first year, has GDPR set good foundations for improved data protection and governance?
Hackers will always look to exploit customers’ data - we are in a constant battle to improve and protect against new hackers and evolving threats. We see this every day in our website security proposition.
Despite this ever-present threat, GDPR has signaled a new defense principle. Yet, businesses need to stay alert, present and consistent in protecting their customers above and beyond basic regulation. Those businesses who do will win customer trust and respect outright.