One Year After GDPR: Three Common Mistakes Businesses Still Make
May 25, 2019 marked the one-year anniversary of the European Union’s (EU) General Data Protection Regulation (GDPR) coming into full effect.
This milestone serves as a timely reminder for any business in the EU or doing business with EU residents on both the implications of failing to protect data and the procedures needed to prevent this from happening.
Here are the three common misconceptions that businesses – big and small – still have about the GDPR:
1) Data Subject Access Rights is many companies’ Achilles’ heel
With GDPR violations now attracting large fines, you might think businesses would be bending over backwards to ensure compliance, but this isn’t always the case.
Most businesses have improved accountability by appointing a Data Protection Officer. They have devised (or refreshed) a legal framework for data privacy, improved their lines of defense against data breaches and even managed identity and access more rigorously. And yet, our recent research reveals that mistakes are still being made under the GDPR: 74% of UK organizations are failing to respond to consumers’ personal data requests within the required one-month time period.
Despite it being very easy for consumers to request their data now, most businesses still struggle to provide it within the time demanded of them. One thing is certain: if regulators put a focus on enforcing breaches in this area, then many more companies could be held accountable over the next twelve months for failing on Data Subject Access Rights.
2) Data privacy or protection is not the same as cybersecurity
When most UK businesses hear the phrase ‘data privacy’ or ‘data protection’ they immediately think ‘cybersecurity threat’. This is a broad misconception. Rather than putting the correct processes and IT systems in place to respond to data privacy issues like data access requests, they look at building stricter security systems.
Google has had to pay a $57 million euro fine due to GDPR violations, and class action lawsuits have been filed on streaming services. These events mean organizations must begin to realise that cybersecurity is only one aspect of GDPR compliance. In fact, the biggest fine to date has been imposed for a violation of data consent, while the largest class action suits currently being heard by regulators are focusing on data subject access requests. The GDPR has presented organizations with an opportunity to re-think the current relationship between business processes, data transparency, and customer privacy needs.
3) The GDPR is more than a legal requirement between customer and business
Over the past twelve months, businesses have been busy asking themselves if they comply with the GDPR. However, when faced with this question, most have taken a defensive approach, considering only legal and security implications on the business. Herein lies another misconception – the view that the GDPR is nothing more than an issue of legality.
The GDPR is a contract between the organization and its customers, detailing how the business plans to store, process and protect customers’ personal data. For every contract, there is a legal dimension, but the scope is much broader than that of the GDPR. It is also about building better customer relationships and experiences through trust. This is a vital distinction because trust is a pivotal commodity for businesses today. If you do not have a contract that your customers like or trust, customers will begin to withhold their data or abandon companies altogether.
GDPR breaches and the publicity they have attracted have done a lot to damage consumer trust in recent months. The organizations which succeed will be those which are willing to put consumer privacy concerns at the heart of the business and to prioritize the customer experience – for example, establishing privacy portals where their customers can access their data and give their consent for the personalized services they find valuable.
Regulation is always a minimum standard, so companies must aim to comply and then go beyond the GDPR. With all data, organizations should act as stewards to make sure data is used, stored and shared in a way that does not lead to the misuse of data by unauthorized third parties, and in doing so they will win more trust in their own data – and from their customers.