Concerted promotion by consumer groups of new rights under the General Data Protection Regulation (GDPR) could be more disruptive to businesses across sectors than the “TripAdvisor effect”, with yet more control over the future of brands and marketing strategies shifting away from companies and towards consumers and employees, according to a new risk analysis paper on GDPR from specialist technology law firm Boyes Turner.
The Information Commissioners Office (ICO), in particular, is expected to launch a major PR offensive in early 2018 alerting consumers to their new rights as “data subjects”, warns Boyes Turner. Combined with the ability for consumers to bring collective “class action” type claims where they feel their rights have been breached, there is a clear risk of litigation and of significant disruption to businesses and their working practices.
Unprepared companies will face increasingly heavy resource burdens as a growing number of consumers demand to see and withdraw all data held on them, projects the paper. The removal of “implied consent” and “opt out” models will place a further strain on data departments.
Top fines for breaches under the European regulations will be as high as €20 million or 4% of annual global turnover – whichever is the greater. The regulations come into force in May 2018 and will continue to apply post-Brexit, with proposals to enact them in UK law already unveiled by the UK Government in the Queen’s Speech.
Sarah Williamson (pictured), Partner at Boyes Turner and speaker and author on data protection and security issues, said:
“If consumers are encouraged to take up their new GDPR privacy rights en masse, the impact on a wide range of businesses could be more disruptive than the tech-driven consumer empowerment forced by the likes of TripAdvisor and other consumer review and price comparison technologies. Like these disruptors, companies that have used the GDPR as the catalyst for getting a handle on the value of holding, handling and utilising consumer data in compliant ways can be big winners. But for the underprepared, if it isn’t the GDPR fines that get you, the large-scale, ongoing disruption from consumers checking, demanding changes to or legally challenging data held on them could.
“Urgent action is required now to ensure businesses know what data they hold, are able to access it quickly and action change requests with minimal bureaucracy and disruption. There are real opportunities for firms to become more agile and effective in their use of consumer data. But there are also real risks that those that get it wrong will be so tied up in GDPR red tape they won’t be able to deliver their real business priorities.”
Bots and privacy risks
Processing of data by artificial intelligence is another area where the report warns that, despite the GDPR deadline of May 2018, regulatory uncertainty remains – further complicating the challenge of becoming and remaining compliant. The ICO only recently closed a consultation on the processing of data by algorithms, meaning clear guidance on this fast-moving area is not resolved and available.
Williamson added: “Machines are making decisions about how data is processed and how that data is used. If these robotic decisions about data handling risk breaching GDPR obligations, organisations could be leaving themselves wide open to challenge. With official guidance not available, organisations need to internally test to destruction where algorithms could be leaving them exposed to huge fines and business disruption”.
The report warns that some companies are so far behind in preparations for GDPR that they can’t hope to be fully compliant by May 2018, meaning a rigorous gap analysis and risk management process will be needed to ensure effort is prioritised where gaps are largest and risk greatest.
“While some companies we spoke to are well ahead of the game, many have a long way to go,” concluded Williamson. “The best prepared are already demonstrating a ‘privacy by design and default’ approach. The benefits they derive in terms of consumer trust and confidence will mean they are able to continue to profit from well-handled and effectively used consumer data. However, full compliance by May 2018 will simply not be achievable for many.
“With eye-watering fines in the offing, and with guidance from regulators still unclear in places, firms need to be adopting a risk management and gap analysis approach, prioritising action on the areas where they have most to gain from action or most to lose from inaction. With so many different parts of the business impacted, it is possible some firms may be fully compliant and reaping the benefits in, say, HR or marketing, but wide open to fines or a loss in consumer trust from an exposed flank”.