Monday, 6 August 2018

GDPR: the aftermath

The GDPR aftermath has been marked with a deafening silence about data integrity, security and privacy. So what have we learnt since then?

It’s now a little over two months since GDPR came into force. A little longer since those panicked conversations with your boss about what you actually need to do and that inbox full of marketing emails begging you to resubscribe.

What have we learnt since then?

The aftermath of GDPR has been marked with a deafening silence about data integrity, security and privacy. There have been media stories about data breaches or malicious software hitting household names such as Ticketmaster or Dixons Carphone, but broader information for governance and GDPR coverage has been notable by its absence – suggesting that what we haven’t learnt about GDPR is significantly more substantial than what we have learnt.

What have we learnt about GDPR?

I think the most startling revelation we learnt in the wake of GDPR was how reactive British business is… and how much we all like to leave things to the last possible minute.

The flurry of marketing resubscribe emails to which most of the country found themselves subjected was testament to this; without reliable advice, businesses panicked, and eschewed large sections of email lists built up over years.

Never mind that GDPR makes provision for businesses to hold data where there are legitimate reasons for doing so.

Second, the noise around GDPR emphasised how many more aspects there are to data privacy than many people realised. As people looked into the subject of GDPR, even the smallest organisations began to feel like they needed a data officer. (Or a Grant McGregor consultant to help and advise them!)

The plus side of this, of course, is we’re all a bit more conscious of the data we are capturing, processing and storing. Hopefully, as the dust settles, this knowledge will inspire organisations to think of new ways they can use that data to reach and delight their audiences.

Third, GDPR served to emphasise what a globally connected world we are living in.

Tracking how we share data, who shares data with us, where we store data, and investigating the policies of third-parties has underlined how intricately the web of data, information and services is woven.

This came as news to many US corporations who had embarked with the notion that what Europe decides to do doesn’t affect them. This misapprehension has now been swept away – it will be interesting to see whether this corporate understanding filters through to political debate both here and abroad.

Still, many US service providers were even more woefully unprepared than UK business; some choosing to simply deny access to their service in Europe rather than expose themselves to risk.

This last-minute service withdrawal seems like an over-reaction on this side of the Atlantic, but only time will tell.

As someone who spent several of the first days of the millennium fielding calls from finance managers wondering why they were struggling to process payments, the lack of GDPR preparedness on both sides of the Atlantic probably shouldn’t have surprised me.

The country, however, was more prepared for the fact the sky didn’t cave in: the fourth thing we learnt after May 25th.

Was media hype unjustified? It seems so in the immediate aftermath, but the real answer is – perhaps – another one of the things we don’t yet know about GDPR.

What are we yet to learn about GDPR?

The key GDPR facts we are all eagerly waiting to discover is who will fall victim to the first GDPR fine? How strict or lenient will regulators be in this test case? And how eye watering will the fine be?

The prurient satisfaction that it wasn’t us will also need to be carefully guarded against.

The sheer scope and breadth of data privacy that GDPR has revealed to us makes it imperative we adopt an approach of constant vigilance and continuous improvement. There but for the grace of God…

If they haven’t already, IT security, data encryption and defensible deletion need to move up every organisation’s agenda.

The other key tranche of “stuff we haven’t yet learnt about GDPR” relates to consumers. In particular, their eagerness to exercise their new rights and their fastidiousness in reporting breaches to the companies involved, the media and the regulatory authorities remains to be seen.

Similarly, we’re yet to witness the media’s appetite for such reputation-busting stories – or the markets’ willingness to overlook them.

Perhaps the most important aspect organisations are waiting to discover about GDPR is how well their internal actions have protected them from any potential negative consequences flowing from the regulation.

In this, it is vital that all organisations understand that GDPR is not a one-off event, nor even a process, but a new way of looking at the world.

GDPR: the aftermath – what’s next?

In many ways, GDPR feels rather like we were all late to a party which failed to materialise and now all we want to do is forget about it.

But it is important to take the opportunity to reflect. Data is the “new currency”, “new gold”, “new oil” of the digital age. What we do with it will have a material impact on our organisational success and reputation in this new age.

If you’d like to know more about GDPR, good information management practice or information security, speak with a Grant McGregor consultant today.