By Jon Szehofner, Founding Partner of GD Financial Markets
As we steam ahead into 2018, the deadline for the General Data Protection Regulation(‘GDPR’) looms fast. Firms are in the final sprint to be compliant by the 25th May or face fierce penalties. Whilst the GDPR appears burdensome, the level of security which it will bring to individuals across all areas from electronic communications, including journalism,has never been seen before and is something which we should all be glad to see implemented.
The value of data has never been more prominent with cyber security now an integral part of companies’ operations. The increase in the number of security breaches over the last year alone are evidence of the change in direction of crime. High-profile examples include the 9,000 Tesco Bank customers account breached in 2016, Equifax- 145.5 million people’s data breached in 2017 and the theft of $81 million from accounts belonging to the Bangladesh Central Bank using SWIFT’s network.
There is a significant value in the GDPR and not just financially or as another stick for the regulator to beat firms with, but in an increasingly online world where data is a commodity, protecting our personal and business data is crucial. Large and household organisations such as banks and FTSE 250 companies are likely to be made an example of should they fail to comply with the regulations. Transparency and compliance will be crucial for those who do not wish to be publicly pilloried by the regulator, face a fine of up to 4% of global revenue or risk irreparably damaging their reputation if breached.
As a piece of European Union legislation, the GDPR will provide a standard across all industries and much of the Continent. This is a first for regulation of this sort and will hold companies with offices in numerous locations to the same standards, something which has not always been the case. It will strengthen and unify data protection for individuals, both within the EU and with respect to the exportation of their data to outside of the European Economic Area (EEA). However, for businesses this also means that the cost of non-compliance is higher than ever before with significant fines based on worldwide turnover.
The growing social and political value of data means that the stakes are high for companies, individuals and Governments across the world and consequently the regulator will take a particularly aggressive approach to punishment. The directive states that breaches include the misuse of data such as when an individual’s data is used in marketing material where permission has not been given through to cases where there is not sufficient data, security leaving companies and individuals open to hacking.
How are firms preparing? Most firms have recognised the need to develop substantial technological and organisational systems to deal with the volume of data and categorisation required by the GDPR. Not only will there need to be good technology, but employees also need to be trained in the requirements for compliance and to communicate it to clients. Some firms have taken the decision to hire a dedicated Data Protection Officer, whilst others have appointed someone on a voluntary basis or appointed an external agency. The extent to which firms are ready for the incoming regulations is dependent on the company and its Board in accepting the significance of the GDPR and whether this is imbedded in practices and filters throughout the company.
It will require teams to check everything from technology contracts to cloud based software services. Indeed, the latest survey by Deloitte highlights that only one in ten global companies actually monitors and identifies data activity by their sub-contractors and instead rely on third-parties to check on fourth and fifth party activity.Organisations will be held responsible for their sub-contractors use of data on the organisations behalf and consequently it is imperative that they are prepared and understand what and how data is being used.
The significance of GDPR can be seen in the fact that the responsibility for compliance should lie with a Board level member of the company and the need for evidence to show that a company has taken clear steps to attempt to be compliant. Firms that struggle to understand where their data currently comes from will struggle most to develop clear systems for the GDPR. It is not necessarily the size of the firm that counts but how many different systems are used and how easily data can be traced that may relate to a particular individual.
Firms will need to conduct internal audits on their held data to understand where it comes from and whether the information can be corrected, changed and the progress can be noted for future reference of development within the firm. It is also important that firms continue their efforts and do not stop after the May deadline had passed.
In 2016 the UK Financial Conduct Authority revealed that the number of reported incidents of cybercrime within its jurisdiction had jumped to 75 for the year to date from 5 in 2014.If the regulator’s fine alone is not enough to spur companies into action, the irreparable reputational damage done to companies in the light of data breaches can be the cause of loss of trust and customer support which takes a much longer time to recover from.
Firms have less than a month to be ready for the regulations and it is important that those at the top of organisations have a hold on the significance of the GDPR. The road to compliance may be monotonous but once the initial systems are in place, the GDPR will pave the way for a future which is more in line with the direction which technology is taking us in.