The European General Data Protection Regulation (GDPR), which comes into force on 25 May, is being billed as the most comprehensive data protection law ever released. It is essentially a code of good practice designed to ensure customer privacy, while also enabling discovery, mapping and tracking of real-time personal data flow. But despite these potential advantages, many companies, small firms in particular, are largely unaware of the extent to which the GDPR will affect them and have committed neither the time nor the resources needed to comply with GDPR by 25 May.
The UK's Federation of Small Businesses (FSB) recently began a last-minute GDPR awareness campaign after revealing that only eight per cent of the UK's small firms are prepared for GDPR. The FSB also says that 18 percent of British SMEs claim not to have heard of GDPR, and that more than a third of sole traders (37 percent) and micro- businesses (35 percent) have not yet begun to plan for the new legislation.
But it is still not too late for companies to take full advantage of GDPR. In the first instance, organisations need to discover which repositories, assets and applications are holding data. The second step is to classify and understand all data in the context of all related business processes. If this process is not at least partially automated, it will be a long and potentially costly exercise for the limited resources companies have. It will also likely be incomplete, as interviews and questionnaires cannot hope to locate every personal data instance. It will also be important that this information be constantly updated in real time to maintain the approved baselines for lawful processing.
Automated data discovery and modelling will also facilitate GDPR compliance in a number of key areas. These include: knowing with which third parties and/or third countries the company is sharing its data; ensuring that appropriate data is immediately recoverable when required to fulfil subject access requests; being certain that erroneous data is corrected, and verifying that data is only accessed by those with clearance to do so.
As 25 May approaches, it is becoming more evident that the EU expects firms to have their data houses firmly in order even before GDPR comes into force. An EU official recently confirmed that companies which are revealed to have been concealing serious data breaches, which occurred before the regulation comes into force, could face penalties of up to €10 million or two per cent of turnover, whichever is greater.
The underlying problem is that most firms do not see data handling as a central part of their business. Companies such as travel agents and estate agents, for example, are huge repositories of highly sensitive personal data. A travel agent might hold a picture of a customer's passport, complete with birthdate, place of birth and photograph, together with credit card details, home address and dates when the customer is out of the country. In many cases, this will be stored on the cloud with bare minimum of security controls in place; frequently, all the customer's personal information will be stored in a single folder.
Were the travel agent to be breached and not be able to demonstrate “appropriate technical and organisational measures”, the legal consequences could be enough to put the agency out of business altogether, as people will have the right under the GDPR to sue for “non-material” as well as “material” (ie financial) loss.
In the case of an estate agent who has been subject to a breach, the compensation claims could be even greater. A fraudster who gets hold of an estate agent's customer records could perpetrate a number of other scams such as posing as the agent in a spoof email in order to convince the firm's customers into transferring large sums of cash into a bogus account. There has already been a recent spate of frauds where home owners and purchasers have been sent fake emails asking them to transfer deposits into fake accounts, the money then being moved speedily offshore.
While 25 May should not be seen as a 'deadline', the longer organisations show little evidence of progress towards compliance, the less the Information commissioner's Office (ICO) will be inclined toward leniency. For most, performing this in-house would involve both a significant adjustment to resources and recruitment of relevant expertise. Neither of which is likely to be appropriate.
The upside is that companies which do bring in the necessary expertise to automate their data management will build an ongoing relationship of trust with their customers. This is not merely a question of avoiding fines by being forced to comply with onerous bureaucracy. It is a genuine opportunity to safeguard the interests of all those the company does business with while also respecting their human right to privacy.
Contributed by Zak Rubinstein, founder and CEO of 1touch.io.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.