GDPR went live just a couple of weeks ago. What were some of the last-minute compliance burdens associated with adhering to GDPR? And what concerns remain?
Dov Goldman: We have seen already that a big concern for organisations is that their marketing efforts are very vulnerable to the General Data Protection Regulation (GDPR). A lot of organisations are asking those on their contact list to opt in and continue to remain in contact. We’re doing this at Opus and I think that is an intelligent step because a big part of the regulation is very much aimed at direct marketing efforts.
Richard Saville: There is an industry concern amongst companies who are worried about fines if they don’t get it right, and they are worried they will annoy their clients if they keep sending out stacks of consent requests to those who may have even forgotten who they’re doing business with—that’s a massive challenge.
If you have customer information that you’ve gathered through legitimate business, and you have an established relationship with them, you do not have to request re-consent. But there still seems to be massive confusion.
Having said that, part of the process is the issue of consent on record. If a regulator came in and they wanted to see evidence of that consent, most firms would struggle to show that they’ve got that clearly on record. It’s about getting the house in order in terms of those data records. If an organisation is making a reasonable effort to clean that up, they will not be fined.
The regulator is clearly saying it’s time that people who have bought a thousand emails from a market database cannot use that information to market products. GDPR is all about enhancing people’s protection regarding their own personal data.
How will companies be forced to evaluate their use of customer data. Do you think there will be any teething problems in the first few weeks and months after the go live?
Saville: The UK regulators have been magnificent in publishing guidance, but they’ve only been doing that for the last couple of months. So, a lot of businesses have been sitting there waiting for the regulator to tell them what they have to do. It’s only now that people are beginning to realise what the true implications are. I don’t think the regulator can come down too hard when they’ve taken two years to get their act together. I think most companies only just about understand what GDPR actually is and they don’t necessarily know where to go to get the right information.
I heard that recently, Google hits for GDPR exceeded the hits for Beyonce. That’s the size of the interest and reflects the uncertainty and questions that people have. It’s out-Googled Beyonce.
Do you see any indication that an equivalent of GDPR may be exercised in the US?
Goldman: The US culturally has a relaxed view on privacy, compared to people in the EU—and the UK. Data breaches are nothing new, but in recent months it has reached a different level of consciousness and punctured everybody’s fantasy that they have any level of privacy. I don’t see extra GDPR-like regulation for data in the current political climate we have here in the US. But I do see a cultural shift on the way. That recent awareness is the beginning.
What should companies be working on in the coming months with GDPR? And do you think regulators will be lenient in the first month?
Goldman: Inherently, technology can be changed very fast but human behaviour cannot be modified at the same speed. Companies need to train people on accountability and data subject rights. A problem with GDPR is some organisations don’t think they’re responsible to this regulation, though most are trying hard to see this as important in their business going forward.
When considering companies that have a lot of data, there’s a growing percentage of that data that’s being processed by third parties. So, this question of ‘where is my data?’, is now a concern of businesses worried about that entire ‘extended enterprise’.
Saville: The regulation is explicit. Companies need to understand what data is being held and what it’s being used for. A lot of companies are getting their head around their internal processes but they haven’t yet addressed the amount of data that is out there with third party processes.
Goldman: You cannot assess the GDPR compliance of a third party you don’t know about. Identifying all third parties is the first step in building a picture of the risk, though that can be extremely difficult when some businesses have more than 200,000 third parties. Opus has built a solution that our customers can use to ‘filter’ their third parties and to help them focus on the relationships that require real work in terms of GDPR.
What else are you doing at Opus in terms of best practices for ensuring GDPR compliance?
Saville: The Information Commissioner Office (ICO) has published a series of guidelines.
The ICO guidelines include security of processing, understanding legal reason for processing, and the ability to provide individuals with information about their data.
Opus has taken that guidance and mapped it to the regulation. We have a questionnaire and when our clients’ third parties have completed that questionnaire our application will calculate their control effectiveness, and it will calculate the risk from a data privacy perspective.
Companies face big fines—a reported 4 percent of annual revenue if they are not compliant—what are the other consequences of non-compliance?
Saville: The big one is reputational risk. If you’re dealing with a company that has a very clear data policy notice, who are very open and transparent about what data they’re collecting, or what they’re going to use it for, you’re more likely to want to work with them. The whole premise of GDPR is to give a better consumer experience and to protect the individual.
The fact that the data protection officer now reports to the CEO of the company speaks volumes. The fact that you’ve got this massive potential fine is great ammunition for the data protection officer when talking and persuading their CEO when they’re designing new privacy systems within applications.
Data protection officers are now front and center in many organisations. That can only be a positive.
Goldman: Up until now, many companies had people deep in the bowels of their technology organisation—the ‘high priest’ of data who tended to manage millions of records about individuals. What GDPR and everything surrounding it has begun to do is to shine some light on those people and their efforts. Customers want to do business with companies that are going to care about their rights as a data subject. It will help companies create a responsible image‚ an added element to a company’s ratings.
What are the trends within regulation, data privacy and information security at the moment with the increasing introduction of technology and artificial intelligence (AI)? Is AI helping or hindering?
Goldman: It’s hard to consider that at the moment—it’s almost like the Wild West, we’re the pioneers. The role of AI in many processes is still very much up in the air. Machine learning, with all these new tools, is a vaguely defined area. The industry has so much data to process right now.
My intuition is that the regulators are not yet smart enough about this topic. AI is serving a role in a lot of processes. The one that is affecting our lives the most is fraud detection. It’s very visible, the industry has heavily applied AI to fraud detection.
Having said that it’s a little early to know how AI is really going to affect things. People are really not that yet sure how these machine tools will affect compliance or non-compliance with the regulation.
Saville: Our data is being used without our knowledge. A recent article I read suggested that we are now waking up to how easily available our data is. The article was saying that we’re getting to a point in understanding how machines could potentially control our lives, and if we don’t wake up to that fact and regulate it to ensure safeguards, 50 years from now, we might not be having these conversations.
I’m excited that people are beginning to see this as an important topic—the new attitude is ‘all this information is dangerous, so let’s regulate it’. More regulation will mean more ethical uses of big data in the future.
What emerging trends and approaches are you currently seeing in the industry, especially looking forward to 2019?
Saville: What I am looking forward to is more standardisation. Standard ISO 27001 for example, already covers some GDPR requirements. I would like to see a recognised certification for information security management that encompasses data privacy and uses that certification to show compliance with the regulation.
Having a common standard for data privacy would be fantastic. GDPR may be an initial instrument towards seeing that change.
Goldman: The goal of certification is to help to show that a corporation has achieved a cultural shift enabling them to think in the right ways. It is a necessary element to building compliance with any kind of regulation.
You need information security management programmes in place and certifications will show you have done the work.
