Firms warned building trust vital under new EU data protection rules
MUCH of the focus on the urgent need for Irish businesses to meet the requirements of the upcoming GDPR (General Data Protection Regulation) has centred around the sizeable fines which can be imposed in the case of wrongdoing or negligence. However, a bigger consideration for companies and organisations should be gaining the trust of consumers through complying with the new measures.
Over the past seven years there has been an increasing awareness by consumers of the importance of their data and a suspicion, in some cases correctly so, that their data was not safe when it was handed over to businesses — and not just online retailers. A Eurostat survey in 2015 found that more than half of the respondents (56pc) did not trust shops, while more than six out of every 10 (62pc) did not trust phone companies or internet service providers.
The same could be said for a number of businesses and organisations that routinely collect and store consumer data – consumers are increasingly wary of the amount of data held on them. Implementing practices to prove to consumers that organisations are deserve to be trusted with their personal data should lead to greater consumer confidence and therefore, more business.
While Daragh O’Brien, MD of information governance company Castlebridge, agrees that improving consumer trust and confidence can reap rewards, there is another reason why improving consumer trust is so important under the GDPR. The new regulation requires organisations not just to have processes in place that safeguard and protect consumers’ data, but to be able to demonstrate to individual consumers that it is the case when required.
“It boils down to a need for the people whose data you are processing to trust you with that data, and that will come down to simple things like having intelligible fair processing notices, and being able to provide copies of the data you hold about people to them within 30 days. It’s not good enough to say that you have sufficient controls in place — the new regulation also requires that you be able to demonstrate that you have those controls in place and they are operating effectively and that is where a lot of organisations are going to be in trouble,” O’Brien said.
For many companies which are already struggling to come to terms with what the GDPR means for their business, the idea of being legally required to demonstrate to consumers what processes are in place for securing their personal data and handling it in an ethical fashion will seem a daunting one. Some companies may not understand why they need to do so, but it comes down to a very important concept that many businesses have yet to get their heads around — who owns that data.
While many companies may consider that something as simple as a mailing list, either electronic or physical, and the contents thereof belong to them once it is compiled, the contents of the mailing list are deemed personal data; each individual whose email or personal address you have is the owner of that data. It doesn’t matter that the company has paid for and owns the system that stores the data.
The relationship between companies which hold consumer data and the owners of that data is similar in nature to deposits at a bank – although the consumers lodge their money and it remains in the custody of the bank, it still remains the property of the consumer and can be demanded at any time. While this has been the case in Ireland for some time when it comes to data, O’Brien says that some organisations are still a little vague on the concept.
“Some organisations struggle with it, and I am surprised and perplexed when that is the case, because that is not a new concept, it is 30 years old — all that the GDPR is doing is clarifying it. If you give your information to an organisation, then it is still your information and you have rights to it, and the organisation has responsibilities and obligations in how it handles that data. What GDPR does is clarify those rights for consumers and responsibilities of organisations and it lays out some very clear penalties for breaching those rights” O’Brien said.
The offences are indeed clear (there are approximately 40 detailed in the legislation) and the fines are very significant — up to 4pc of turnover or €20m, but addressing the issues and giving customers trust in how their data is stored is likely to improve how companies are perceived. The questions for many companies is where to start addressing the challenge placed by GDPR? According to O’Brien the first principle of action when facing a challenge remains:
“The first thing I would say is not to panic. The second thing I would say is that you should accept that you will almost certainly not be fully compliant in time. This is not a case of changing some software, it is a cultural change within your organisation — it is people, it is work practices and it is documenting those work practices, and identifying and managing risks. What you should begin by doing is auditing your current work practices and start by addressing the most immediate risks. By May 2018 you need to be able to show that you are aware of the new laws, that you have a plan in place to become compliant and that you have started addressing the risks to data privacy in your organisation,” O’Brien said.
While many Irish organisations have a lot of catching up to do in order to meet the minimum requirements of GDPR in time, O’Brien says that he has a good rule of thumb for them to use when considering how to handle consumer data.
“What this all boils down to is ethical handling of people’s information, and that should be the starting point for any thoughts on compliance. If it feels wrong and like you shouldn’t be doing something a certain way, the chances are that you are probably doing the wrong thing.”
Daragh O’Brien, MD of Castlebridge will be a speaker at DataSec 2017, Ireland’s Data Protection Conference focusing on the new GDPR regime. Find out all you need to know about GDPR compliance at DataSec 2017 on May 3 in the RDS. For tickets see: https://eventgen.ie/ dublin-data-sec-2017