It’s been a year since the new GDPR (general data protection regulation) laws were implemented in the EU in a bid to improve data protection and security. So, have things improved? And do businesses finally understand what is required of them a year on?
A new study investigating UK business owners’ understanding of GDPR by business insurer Hiscox has unearthed that 9 in 10 SME owners don’t know the main new rights GDPR gives consumers – a worrying statistic considering what a pivotal move this was intended to be in terms of how businesses handle their consumer data.
John Buckingham: Busting the Myths & Seven “Valuable” Themes for 2021 [ValueWalk Webinar slides and video]
John Buckingham's presentation titled, 'Busting the Myths & Seven "Valuable" Themes for 2021'. The webinar for ValueWalk Premium members took place on 2/23/2021, and was followed by a Q&A. Stay tuned for our next webinar, Q4 2020 hedge fund letters, conferences and more John Buckingham Principal, Portfolio Manager, Kovitz Editor of The Prudent Speculator newsletter Read More
So, what is GDPR?
Coming into effect on 25 May 2018, GDPR was formulated to better regulate data privacy and security by enforcing rules on how data can be collected, how it is used and the way it is stored. The primary goals were to give the general public more control over their data and to encourage businesses to be more transparent about what they are collecting data for.
According to the GDPR directive, data refers to any information related to a person, such as a name, photo, email address, bank details, social media information, location details, medical records, or even a computer IP address.
The six lawful bases for processing data under GDPR are:
- Consent – you must gain consent from the consumer to use or collect their data.
- Contract – collecting the data is necessary as determined by your contract.
- Legal obligation – you need to process data to comply with the law.
- Vital interests – data processing needs to be done to protect someone’s life.
- Public task– data processing needs to be done for you to complete a task in the public interest.
- Legitimate interests – data processing is necessary for legitimate interests, such as fraud protection.
If companies are found guilty of not complying with GDPR, or if they experience a data breach and don’t report it within 72 hours, they could, in worst case scenarios, face fines up to €20 million or 4% of the company’s annual turnover (whichever is higher).
Are businesses up to speed?
There’s no denying that there was a lot of publicity surrounding the introduction of the new data regulation laws.
That being said, it became something of an information overload, and this may have had the opposite effect than intended. The months leading up to GDPR taking hold were filled with a lot of confusion surrounding what GDPR actually means for businesses and how it affects them in the long term. And this confusion doesn’t appear to have been entirely diffused a year on, according to the Hiscox findings.
Of the SME owners surveyed, 39% didn’t know who GDPR affects – the answer is everyone! It affects business owners as a consumers themselves, and it affects them as a business dealing with consumers (customers, clients, suppliers, etc). Further to this, 96% didn’t know what the maximum fine is for breaching GDPR.
There is still time – and a continued necessity – for business owners to get up to speed with the new laws. Business owners should look at compliance as an ongoing project that requires continued attention.
What action is being taken?
Many businesses have responded by hiring dedicated GDPR officers to take responsibility for overseeing the company’s data protection strategy and to handle the new set of challenges, such as educating the employees on compliance requirements, conducting audits to ensure compliance, maintaining records of data processing activities and more.
From a consumer standpoint, the obvious response to GDPR is the introduction of opt-in cookie consent pop-ups on virtually every website they visit. Though consumers may find them irritating, these are an essential step that businesses must now take before they can collect data from visitors to their site. Prior to GDPR, you could have gotten away with a banner stating that visitors implicitly accept cookies through the mere act of using the website. However, the new laws require visitors to actively opt in to giving permission for their data to be used.
As a consumer yourself, there’s a good chance that you’ve received an influx of emails from every business you’ve ever had anything to do with, asking for your consent for them to retain and use your data.
High-profile GDPR breaches
As of February 2019, 91 fines have been issued under GDPR. Some of these have gone to high-profile businesses, such as Google, which was fined €50 million (£44m) for failing to acquire users’ consent for advertising.
In September 2018, British Airways suffered from a ‘malicious criminal attack’ that led to thousands of customers’ data being compromised. The company now faces a possible fine of around £500 million over the breach.
While GDPR may seem like something that would affect larger organisations, it is very much something that can impact businesses of all sizes. For this reason, it is essential that you’re up to speed with the requirements and rights that GDPR enforces – as a business owner, employee or consumer. It’s crucial that businesses are doing more to ensure they understand and, crucially, are complying with GDPR or they may come to face damaging consequences down the line.