3rd October 2017
With the General Data Protection Regulations (GDPR) coming into effect on 25th May 2018, by the time Smarter Business Tech LIVE 2017 (15th & 16th November 2017) closes, there will be only half a year left for businesses to get ready – less, taking into account the Christmas-New Year holidays. Given the importance of the topic, we decided it would be a good idea to meet Andrew Stellakis, Managing Director at Q2Q, to garner a few of his well-informed thoughts on GDPR, even before his speaking appearance at the show.
Smarter Business Tech LIVE: Why does the EU consider GDPR a necessary change for data regulation?
Andrew Stellakis: In 1995, the EU devised a directive around securing private data but allowed countries to interpret it themselves so that it is implemented differently in each country and, of course, it has to be seen in the context of the technologies at the time. It didn’t cater for VoIP (Voice over Internet Protocol) and other more recent developments, it focused on data security and it was inconsistently implemented across the EU. GDPR (General Data Protection Regulation) provides a consistent framework with a set of six clear principles [see below] with which every member state has to demonstrate compliance.
Smarter Business Tech LIVE: What will be the most significant impact of GDPR?
AS: It won’t be the fines. There has been a lot of noise around the financial impact of GDPR but the fines will largely affect large firms. The biggest impact will be about the rights of the individual with things such as: no charge to find out what information is held about you; the right to be forgotten; and the right to compensation. Firms who don’t comply with the directive are less likely to be fined but will be listed on the website of the Information Commissioner’s Office (ICO) as having failed to meet the required standard – publicly named and shamed – and that will certainly act as a deterrent. Looking at the broader picture, GDPR applies to any organization selling or providing services to EU citizens so, in that sense, Brexit will change nothing for businesses offering services to EU citizens.
Smarter Business Tech LIVE: How will GDPR affect consents from consumers?
AS: One of the ways consent is obtained these days is by inverse logic, i.e. not saying you don’t give consent. The new requirement is that consent has to be clearly and unambiguously given through a clear affirmative action by the individual. One of the first principles of GDPR is for fair and lawful processing which provides for specific consent.
Smarter Business Tech LIVE: What is the ‘right to be forgotten’?
AS: It is the right to have data erased from the system where it is legal to do so, i.e. you couldn’t have records held to detect money laundering activity erased. This will be a minefield with companies having to understand where they have data stored, why they hold it and where it has gone in order to be able to delete it. The use of Excel is a real issue in this respect because files that are exported form systems end up becoming other files and then other files and so on… given the way the world-wide web works, this will be nearly impossible but a business will need to demonstrate that it has identified potential risks and have a fundamental understanding of where the data that it holds resides, particularly when using things such as Cloud Services and such as for ISPs (Internet Service Providers) who have a requirement to store browsing histories. Specific exceptions, such as monitoring activity related for anti-terrorism purposes, will be protected by the legislation. Some people are concerned that authorities might try to widen the scope of exceptions.
Smarter Business Tech LIVE: What will be the challenge for marketers of meeting GDPR requirements?
AS: Marketer fear that GDPR will spell the death for marketing lists but the truth is that the business to consumer market will change for the better if, as a result of GDPR, accidental Spam is reduced. The quality of marketing will improve as lists are refined and become more targeted, i.e. of better quality. List contacts who have unambiguously agreed to be on the list will be more engaged and the ‘opening’ rate will increase while the ‘bounce’ rate will decrease.
With business to business marketing, as long as you’re emailing a role, and not a person, with something they could logically want, that’s allowed but otherwise, business to consumer rules will apply.
Smarter Business Tech LIVE: What will be the gains from getting GDPR right, i.e. in the quality and discipline of data management?
AS: That’s exactly what it will be with a greater ‘true’ quality in mailing lists with a higher likelihood of retaining and closing. Also, it will reduce the data held in a business which will save on a number of costs such as storage, disaster recovery and, of course, it will improve the ROI (return on investment) for each mail out which can be better targeted.
Smarter Business Tech LIVE: Will it be advisable for all companies to have a Data Protection Officer (DPO)?
AS: Every public sector organization will have to have a DPO. The test will be how much data governance and data awareness can an individual realistically be expected to undertake in their role? For instance, with some jobs such as a personal wealth adviser with, say 10 to 20 high values individuals in their portfolio, it will be reasonable to expect them to be mindful of the security surrounding their clients’ personal data and data protection. However, if that service was then moved to someone working in a call centre dealing with hundreds of calls per day, do you believe they can genuinely be mindful of security around data? The role of a DPO is about considering data protection so, even if that is not a full-time role, it does have to be independent so it cannot be a role for the Marketing, Sales or IT director.
Smarter Business Tech LIVE: What is the link between GDPR and cyber security?
AS: GDPR, in its essence, is about securing personal data and can be summed up as six principles…
- How did you get the data?
- What was the legal basis – consent?
- What are you going to do with that data?
- Is it the extent of the data pertinent to what you’re going to do with it?
- How long are you going to keep it?
- Is it being processed in a manner to maintain security?
The sixth principle, which can be seen as the wrapper for the other five, deals with security which, in part, is around who can access an individual’s details and security of promise, i.e. will the data holder also destroy that data safely when they have to? Losing data will be considered a data breach under GDPR which will force companies and organisations of all sizes to take securing data seriously.
Smarter Business Tech LIVE: Will GDPR slow or even reverse moves to Cloud based applications and solutions?
AS: One requirement of GDPR is that data is held securely; safe against viruses, etc. and in a safe place. So where data centres are will be a security issue. The Cloud offers the benefit of unlimited storage and sharing the cost of access to the latest software. The danger is that if a business or organisation is not mindful of where the data it holds is stored, it could be in breach of GDPR. This might well mean that a lot of Cloud providers will give the option to move data to European or even UK data centres.
Smarter Business Tech LIVE: By establishing a legal architecture for data collection and management, will GDPR enforce better housekeeping standards, such as with the destruction of data, and how would businesses and organisations be best advised to organise to achieve that?
AS: Yes, definitely better housekeeping. We often see a moment of panic when we ask a business for the true breadth of where personal data is stored, i.e. is it in the payroll, in the ERP system where it might be relatively secure? Or is it on Excel spreadsheets kept in various parts of the organisation and less secure? Identifying where data is kept is really the biggest difficulty and is step 1 in becoming GDPR compliant followed by, has the individual given explicit consent for their data to be held and so on? But the bottom line is, if you don’t know where the data is in the first place, you don’t know what you’ve got to secure.
Smarter Business Tech LIVE: What will be the penalties for non-compliance with GDPR and how will compliance be enforced?
AS: Penalties will fall into two categories: for a Category 1 breach, the fine will be up to €10m or 2% of global turnover and for a Category 2 breach, the fine will be up to €20m or 4% of global turnover (in each case, whichever is greater). These will be enforced by proxy of there no longer being a charge for a request for information plus the ability of individuals to get compensation will mean a lot more activity by ‘ambulance chasing’ ‘claims’ firms; so this has the potential to be the new PPI. Companies will also wish to avoid ‘appearing’ on the ICO website [see above] for the reputational damage that will cause plus any compensation claims it will encourage. Fines will actually be a last resort but they will happen.
Smarter Business Tech LIVE: What will be the costs of GDPR for marketers?
AS: There might always be a perception of the cost of the loss of a database but as to the true cost of GDPR? I don’t see any cost unless a business engages a consultant to help with the change; but that will speed things along and ensure compliance. Overall, any costs will net out to mothing or be a saving. Better quality lists will lead to better conversion rates, better engagement and better brand loyalty.
As always, we were pleased to have had the opportunity to share some time with Andrew and to have learned just a bit of the knowledge he will be sharing when he speaks at Smarter Business Tech LIVE.