Loss of business could be the most significant cost of GDPR for the private sector due to the expense and time needed to deal with investigations, face sanctions and reorganise. This is one of the conclusions of the research paper, "GDPR: Getting ready for data’s new dawn," by law firm Boyes Turner. It was published with the aim of informing organisations how to meet the May 2018 deadline and avoid being penalised.
Another conclusion from the research is that non-compliance could have a negative impact on deals, with data protection likely to become part of due diligence - non-compliance may adversely affect the value of a company and lead to collaborators delaying or deferring commercial agreements.
By way of context, the law firm laid out a timeline, outlining the three key stages an organisation should go though to meet the 25th May 2018 deadline by which time GDPR sanctions will begin to be enforced. From now until September 2017 is the time for a data audit and gap analysis. From October to December 2017 should be allocated to drafting and implementing a compliance plan. And, finally, from January to April 2018 organisations should be dedicated to testing and rolling out new policies and procedures. Throughout this time, awareness raising and training should take place up until May 2018, with continual review from then on.
The firm divides its advice into five categories: getting ready, challenges and opportunities, gaps and guidance, robots and outsourcers, and conclusions and next steps. In the first instance, to get ready, the report stated that it is necessary to define one’s data strategy, raise awareness, and report and record data. Kevin Willis, data protection officer for insurance company Aviva pointed out that his company views the data of its customers in a multi-faceted way. “Aviva has a true customer composite strategy which depends heavily on understanding customers well, seeing them as individuals and not just by reference to the products they hold with us,” he said.
Secondly, in regard to challenges and opportunities, the report offers statistics on perceptions of GDPR preparedness, broken down by different sectors. The law firm conducted a survey of 30 in-house lawyers and found that 10% believed they were not prepared at all, while the remaining 90% said they were in some state of readiness. A challenge reported by some is the seeming conflict between GDPR and other regulations. This is particularly the case for the financial sector which is subject to anti-bribery, corruption laws and the Markets in Financial Instruments Directive.
In this section, it is claimed that companies are seeing the changes and overhauls taking place in preparation for the May 2018 deadline as beneficial to the way they operate. Helena Fearon, director of risk and compliance at vehicle marketplace Auto Trader, said: “You have an opportunity when you are doing an exercise like this to look at everything holistically and be really clear about why you are holding the data.” The paper stated that other companies are likening the effect of GDPR to the monumental effect Tripadvisor has had on the travel industry. “GDPR will force a shift in power from companies to consumers,” the report claimed.
The third section on gaps and guidance laid out a 12-point list of guidance points from the Information Commissioner’s Office to prepare for GDPR. These included having the right procedures in place to detect, report and investigate a personal data breach, and designating a person to formally take responsibility for data protection compliance. The report highlighted the ambiguity of the guidance on consent, especially when sharing data with third-party recipients, stating that the draft guidance issued by the ICO “gives rise to more questions than it answers.”
In relation to this, Sarah Williamson, partner at Boyes Turner said: “This is a big issue for the advertising sector and also SMEs who rely on marketing lists to increase their audience. The guidance says that you would have to name the individual [third-party data] recipient whereas the GDPR refers to the possibility of naming categories of recipients. It’s not clear whether the ICO will back down on this.”
The fourth section on outsourcers and robots stated that artificial intelligence, whereby robots are performing tasks and processes, is a controversial area. It asserted that the ICO has recently closed a consultation on the processing of data by algorithms and so a key piece of guidance in a fast-changing, untested area is still not resolved. The report also set out a list of types of data used to build up a picture of an individual on which the ICO has yet to issue guidance. These include property ownership data, wearable tech, social network information and driving and location data.
The report ended with a focus on the change of mindset necessary for successful implementation of GDPR compliance procedures. Willis reiterated this by stating: “The whole point of GDPR is moving companies to acknowledge the concept of privacy by design and default.”