Last year, the average UK small business spent 600 hours preparing for the upcoming GDPR. There are concerns that the new data protection regulation will impact productivity, prevent marketing activity, and send businesses grinding to a halt. But it doesn’t have to be this way.
The European Commission claims the tougher data protection regulation will be good for business, providing plenty of opportunities. So, as a break from all the fearmongering, here are five good reasons to be cheerful about GDPR.
The chances of immediate fines are slim
Although the potential fines are daunting, reaching €20 million or 4% of your global annual turnover, sanctions are unlikely to be applied in full force from day one.
For the past 20 years, the Information Commissioner’s Office (ICO) in the UK has had the power to fine companies up to £500,000 under the Data Protection Act (DPA). However, the ICO has never used the full extent of this penalty. So far, the highest fines under the DPA have reached £400,000, issued to Keurboom, TalkTalk, and Carphone Warehouse.
In each of these cases, 80% of the maximum fine was applied. This was for persistent and repeated offences, where data was significantly and continually abused in the aftermath of the breach. It’s unlikely that under the GDPR, regulators like the ICO will apply maximum fines for a single incident. For a small company suffering a breach, this should put the fearmongering around potential fines into perspective.
Besides, the intention of the GDPR isn’t to earn money by penalising companies. Rather, it’s to make sure businesses think of risk in a different way. Instead of asking “what’s the risk to us?”, businesses must think “what’s the risk to our customers and employees?”. And the good news is, if you take GDPR seriously enough, and put processes in place to comply, the chances are you won’t be fined.
GDPR will help you nurture trust
Last year, the ICO published research stating that only 20% of the UK public, trust organisations with their personal information. And it’s not getting better. New and emerging technologies are enabling organisations to use personal data in ways they never expected, and the public are becoming more and more distrustful.
The GDPR presents an opportunity for businesses to not only comply from a legal and regulatory standpoint, but also to regain both customer and employee trust in the way the organisation handles data.
Businesses should seize the opportunity to let their customers know why their data is collected, what it will be used for and that they can choose whether to share their information. Some organisations have already started emailing customer-friendly privacy notices to users, putting them ahead of the curve.
It’s the perfect time to de-risk
If 2017 taught us anything about data security, it’s that data breaches happen all the time. In the first month of 2018, we have already seen a number of high profile incidents, and according to the Ponemon Institute, the average breach now costs $3.5 million. This figure is only set to rise as the scale of breaches increases.
Ultimately the more data you store, the greater the risk that you will become a target for cyber-criminals. The GDPR presents an opportunity to reduce this eventual impact by cleansing your data. You may have seven million people signed up to your service, but if only a fraction of these are active users, the rest are a liability to you. If your data is not earning you revenue, why take the risk? Now is the time to purge the redundant data and reduce your organisation’s overall exposure.
To clear out inactive email addresses, companies such as Channel 4 have emailed their customers advising that their accounts will be closed if they don’t opt back in. This allows Channel 4 to clear their database of inactive accounts and ensure that they’re only keeping the email addresses they need, to reduce their risk factor. This practice will also help ensure that the remaining active users are engaged, and therefore more likely to respond to sales and marketing activity.
You can grab a greater market share
The GDPR has the potential to be a key market differentiator. Organisations around the world are talking about how it will affect businesses within Europe and beyond. Many organisations, particularly in the USA, are waking up to the fact that they will need to comply with the GDPR if they want to do business in Europe. Their main concern is that if they don’t follow it, they can’t play; those who do are likely to be more successful in the EU market.
Additionally, the GDPR is set to bring a moment of market upheaval in the supply chain where contracts will be renewed or renegotiated. At this point, showing that you follow the GDPR will help you stand out from your competitors.
GDPR will bridge silos
Traditionally IT and compliance have not been well interconnected, with IT seen as a service to the rest of the business. Pre-GDPR, C-Level executives were not especially concerned about how the IT department did its job, or where the data sat, as long as they could retrieve the data when needed. Equally, while the IT department managed the systems, networks and vulnerabilities that could lead to a cybersecurity incident, it didn’t necessarily focus on the data sitting on those systems.
However, the GDPR forces you to bring the goals of the IT team and the business together. The executive board will have to care about the data and the systems, and IT will have to care about where the data sits on the system. It all ties back to vulnerabilities. The GDPR will encourage better communication between the two sides and enable you to report on what the most vulnerable system is, not just from a technical point of view, but also from a data privacy view. This means that those extra resources for IT security can be explained by the Processes, Activities and Assets that will be impacted; terms the business can appreciate. This is a perfect opportunity to address the silos that currently exist, and it may well have wide ranging benefits beyond data security.
It’s not a glass half empty
As the GDPR comes into force, the way organisations manage everything that touches their data will need to change. It’s a continuous journey, and the GDPR will fundamentally change the way that businesses work. However, while a lot of confusion and panic exists around exactly what it will entail, the GDPR also presents an opportunity for businesses to improve how they work and build trust with their customers. Despite the potential penalties, the GDPR glass doesn’t have to be half empty.
[su_box title=”About Oliver Vistisen” style=”noise” box_color=”#336588″][short_info id=’105023′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.