During last year’s EU referendum campaign, Michael Gove famously said that “people have had enough of experts”. Looking at how UK plc is preparing itself for enforcement of the General Data Protection Regulation, it seems like businesses have had enough of them, too.
Last Thursday, 25th May, was exactly one year until the demands of GDPR will need to be followed through with actions, otherwise the Information Commissioner’s Office will want to know why. To mark the date, a blizzard of press releases emerged which ranged from the constructive to the alarmist, via the credibly informed to those clearly over-reaching their competence.
The DMA found that the number of businesses who believe they are on course to comply with GDPR had fallen to 54% this year from 68% in 2016. A survey by Blancco Technology Group found 43% of UK business are waiting until the second half of 2017 to begin their data protection gap analysis. Meanwhile, in a survey by WinMagic, only 21% of UK IT professionals said their organisation would currently be able to comply with a request for deletion by removing all data from live systems and servers.
GDPR had such a long gestation - a first draft was leaked in November 2010 - that you might think companies would have been ready for action. After all, it is well over a year since it passed onto the statute books in the UK. So why is that so many are turning a deaf ear to what the experts are saying they need to do to stay on the right side of the ICO halfway through 2018?
1 - Because self-interest beats transparency
What GDPR is trying to do is rebalance the data-value exchange to a more equitable position. Most business models are based on one-time data collection and persistent permission. This is even more extreme in the new world of digital platforms and services which make agreeing to one-sided terms and conditions the basis on which to participate. When Facebook acquired WhatsApp is was clearly with the assumption that it could merge the instant messenger’s customer data with its own, finding a potentially new user base while also taking out a commercial threat. Only the strictest enforcement efforts of German data protection regulators have made it plain that this was not transparent to consumers when they first signed up and was therefore not acceptable. The ICO has been taking a similar view towards charity profiling and commercial organisations’ repermissioning efforts. Despite this, organisations built on data self-interest will resist transforming their model for as long as possible.
2 - Because companies don’t believe consumers want it
A paradox of all legislation is that it is usually trying to address risks of which most people are unaware. With data protection, the problems envisaged by the legislators seem remote or theoretical to most consumers. As a result, there has not been a mass movement demanding more privacy online and better controls over data. So companies take this to mean GDPR will fail because customers will not exercise their new rights. But that is to underestimate the way small groups of vocal objectors and commercial rights lawyers will use GDPR as a lever for change. Even if only one of your customers wants to take advantage of what the Regulation proposes, your business will need to be able to comply.
3 - Because business believe they can get away with it
The risk of fines has historically been written into many companies’ risk assessments, not just around data protection, but any new endeavour. It is not until the financial threshhold of those fines gets close to the line of profitability that the risk is considered no longer worth taking. Until GDPR, data protection breaches were, frankly, affordable. And that is exactly why the Regulation has enabled super-max financial penalties to be imposed. Like banks learning from their mis-selling of pensions and credit card companies having to pay out on PPI claims, companies will learn in the long-term that abusing data will no longer pay.