The EU’s General Data Protection regulation (GDPR), is just under one year away and expands the rights of EU citizens around privacy and protection of personal data.
Among other things, it requires that companies maintain adequate data records, disclose data breaches and increase opt-out options. Heavy fines are on the table for companies that do not comply.
We asked MEF members and experts from the wider mobile, legal and data industries to give us their thoughts on GDPR readiness, asking are companies ready, what platforms can help and whether there’s an opportunity for businesses to get closer to consumers?
Here’s what they said…
Rob Malcolm , VP of Market , CLX Communications
In mobile communications, personal data inhabits a complex value chain that includes network operators, aggregators of services and their customers. Mobile marketers, banks, brands, even governments, all have a relationship with personal data.
Our larger customers have already started to include terms and conditions in their contracts to cover GDPR requirements. One of the requirements is that the controller (our customer) will require a binding obligation from the processor (us and our sub-suppliers) to fulfil certain issues.
As a consequence, Tier 1 providers (like CLX) who primarily use MNO’s as sub-suppliers will find it easier to comply to GDPR. Moreover, global mobile service providers like CLX have previously embraced privacy and regulation, albeit fragmented at the country level. It has long since been a business fundamental.
The key question is whether GDPR compliance will:
- drive all SMS companies to seek Tier 1 connections.
- drive all enterprises to only work with Tier 1 providers.
Given the substantial fines of 20M Euro or 4 per cent of global turnover, our customers’ appetite for risk is likely to be low. The other question is whether MNO’s are ready for GDPR?
Tristan Nitot , Chief Product Officer , Cozy Cloud
With its data portability clause, GDPR is a game changer, as companies will have to allow customers to take their data with them as they move to the competition. Let’s see how this challenge can become a business opportunity by leveraging the personal cloud approach.
Step one is to provide to all customers a personal cloud (like Cozy’s) where individuals will be able to store their personal data.
Step two is to build an application that will run on individuals’ personal clouds. This way, it’s still possible to leverage their personal data, while combining it with data coming from other sources, enabling companies to build more personalized services based on more data that was available before. As apps can access data but cannot send it back to companies, consumers also benefit from this approach by enjoying more privacy.
With this approach, instead of becoming casualties of the data portability, companies can be more innovative, while user privacy is protected.
In a few years from now, GDPR’s data portability will be considered like a boon by companies that have been smart enough to embrace the personal cloud approach.
Thomas Wind, Product Innovation, Vice President Business Development, Deutsche Telekom AG
Since privacy turns more and more into a competitive advantage we witness with the concept of a user-centric personal data economy the emergence of a new market with different types of business models in which no dominant player has emerged thus far.
Research clearly shows that internet users are highly interested in protecting their privacy. They are willing to share their data, if they have transparency and control in a trusted environment, if the service is convenient and if benefits are appropriate. Enterprises, of course, understand that personal data is the most valuable when it is accurate, in-context and has the owner’s consent and intensions.
Rather than looking at GDPR as an obstacle, in my perception many businesses across almost all industries have started to seize the opportunity offered by the new regulation.
There is a direct correlation between awareness of GDPR and the willingness to take the chance to innovate beyond compliance – exciting times with amazing opportunities!
Timo Laaksonen, Head of Operator Sales, North America President, F-Secure Inc.
Is Your Business Personal Data Centric? This is the question companies should be asking themselves right now. Here’s a few points companies need to focus on when preparing for GDPR:
Enterprise Architects play a key role – Preparing for GDPR will mean changing the way personal data is handled. Involving Enterprise Architects as drivers of a GDPR-compliance project will ensure the new processes and structures are reliable, sustainable and cost effective, as well as compliant with GDPR.
Security postures need to address privacy needs of individuals – A key goal of GDPR is to protect personal data. The idea of protecting personal data can drive both architectural and security work. Accomplishing both of these will allow companies to manage the various risks that come with mismanaging personal data as well as data breaches.
Incident detection and response capabilities – Detection and response capabilities along with basic network hardening play an important role in security postures. Being able to detect breaches in your perimeter, and managing the damage attackers can cause, are necessary to comply with GDPR. More importantly, detection and response capabilities are key for managing security incidents like data breaches. Prioritizing security measures that prevent breaches from occurring makes sense.
Be ready for when things go wrong – Here are a few suggestions for ongoing processes you can implement to make sure you’re ready for when things go wrong:
- Periodic Red Teaming
- A regular review of your incident response plan. Companies will only have 72 hours to report a breach once it’s discovered.
- Crisis management exercises should be a regular occurrence.
Compliance is an ongoing process – GDPR compliance is often referred to as something you do once and then it’s over. That’s a mentality that treats GDPR as an expense rather than an opportunity. That mindset will undermine the benefits that GDPR offers.
Katryna Dow, Founder & CEO, Meeco
Pending European regulations, such as GDPR, ePrivacy and PSD2 could enable significant opportunities for business transformation and better customer outcomes. However new opportunities also mean new challenges.
Existing value chains are rapidly evolving to include organisations people and things. As a result, more and more personal data is generated presenting privacy and regulatory challenges.
Now more than ever, organisations require portfolio thinking and multi-disciplinary teams to design lasting value. A compliance approach will deliver a solution to only half of the problem.
So, what’s required to create new economic and societal value? At Meeco, we have observed three distinct eco-systems emerging that both enable and depend on the participants served:
- Enterprise networks, linking customers across products and services together with orchestrating adjacent services that result in better customer experience
- Walled-gardens like Apple, Google, Amazon & Tesla that create great value within their respective service offerings but lock value to the silo
- Open networks that link horizontally enabling customers to participate across enterprise networks and walled gardens, providing the crucial link via permissioned data.
The key to enabling these networks will be the ways in which personal data can be accessed and used. The networks that provide transparency and enable explicit contextual consent, and design for privacy will ultimately create the most value.
Danny Preiskel, Senior Partner, Preiskel & Co LLP
GDPR will drastically change the ways in which businesses control and process data capable of identifying European based individuals. This will impact directly on anyone doing business in Europe (including a post-Brexit UK!) wherever in the world the business is based.
It comes into force on 25 May 2018 and with just under one year to go, what should businesses be thinking about? In fact there is much to consider, this blog just focussing on the tip of the GDPR iceberg that now needs to be on all of our radar screens.
Businesses should be engaged with heads of information security and legal to prepare a GDPR strategy. I would recommend right away carrying out an assessment of how Pii (personally identifiable information) is being processed and update legal agreements to be GDPR ready.
The assessment should consider whether a formal Privacy Impact Assessment (PIA) is required, the extent of any encryption and anonymization requirements and whether a Data Protection Officer need be appointed.
You should note that individuals are significantly empowered under the GDPR presenting a number of new challenges to business, including a requirement to demonstrate users’ explicit consent. Individuals also have a right to data portability (which sounds easier than it is in practice), whilst “privacy by design” and “privacy by default” must be built into information systems and applications, Regular assessment of a company’s data protection regime will also essential to ensure continuing compliance.
On a compliance note, with fines for non-compliance of up to 4% of turnover (albeit limited to a mere €20m), a “business as usual” approach would be foolhardy.
Stuart Lacey, Founder & CEO, Trunomi
GDPR and the potential fines of 4% of global turnover begin in less than a year. However, research indicates that many organizations are behind schedule for compliance. According to a DMA survey, B2B marketers are the least prepared, and the biggest change they’re worried about is consent. Under GDPR individual data rights are strengthened, with consent and transparency as the cornerstone of the customer relationship.
By enabling consumers to withhold and withdraw their consent, GDPR puts a high price on consumer trust. Organizations must review how they seek, obtain and record consent and ensure customers know exactly what they consenting to and give an affirmative action – silence or inactivity or pre-ticked boxes will not constitute consent.
Marketers are particularly concerned about what these new requirements will mean for their organizations – specifically losing access to customer data. My advice? Don’t fear engaging the customer and use GDPR as an opportunity to engage in a trusted, transparent relationship built on two-way flows of permissioned data.
In this digital age; data is the fuel that powers businesses and technology companies should be involved in every stage of the process. Active consented data is more powerful than inactive, stale-dated data and businesses that embrace technology to solve GDPR, above and beyond ticking boxes, will win over those who don’t.
Jim Conning, MD, Royal Mail Data Services
Right now, the biggest challenge for GDPR compliance is time. According to our study of organisations’ data strategy, 58 per cent have concerns about whether their customer data will comply with the new regulation, and nearly half either have no plans to or do not know whether they will seek fresh permission from their customers. So our message to any business in doubt is to act now.
While GDPR changes the rules around consent, there is still time to put the proper permissioning strategies in place before the deadline. Customer data captured without a GDPR-compliant privacy statement doesn’t necessarily have to be discarded. Businesses can set up systems to automatically contact those individuals again to request appropriate consent, thereby repermissioning customer data for future use.
Ultimately, permissioned data is going to drive effective customer engagement. As the number of channels expands, making sure every communication is welcomed by the customer is the only way to build trust and loyalty.
Dr Elizabeth Maxwell, PDP, Technical Director, EMEA, Compuware
With just 12 months to go, organisations across Europe are making steady progress towards GDPR compliance, but it just isn’t happening fast enough; especially here in the UK. Research recently found that less than one in five UK organisations have a detailed plan in place for how they will comply with GDPR – putting it in last place, and a long way behind the global average of 38 per cent.
To prepare effectively, organisations must improve their data governance capabilities across all platforms—especially on the mainframe, since that is where the majority of customer data resides. That might seem like a burden, but as well as supporting compliance with GDPR, modernised approaches can help to reduce the man-hours needed to handle data collection and management, leaving IT teams free to concentrate on analytics and innovation; creating a win-win scenario for both organisations and their customers.
Adrian Davis, Managing Director EMEA, (ISC)2
Continuing failure to understand and handle consumer data in a transparent and trustworthy fashion could lead to consumers withholding or falsifying personal information online, undermining the validity of the data fuelling the digital economy.
As GDPR compels companies to disclose customer data breaches, we will also see consumers increasingly falsifying the personal details they share online. This will consequently undermine the integrity of a data-driven economy.
Companies will have to assess how valuable each type of information is to their business and whether it justifies the extra time and money needed to manage it responsibly as defined by GDPR. Crucially, data privacy will have to be embedded into the DNA of every department and division handling personal information which, in a digital economy, will mean almost every area of the business.
This will require organisations to invest in ‘data protection by design’ where data privacy becomes central to everything from procurement and product design to mergers and acquisitions.
Adrian Barrett, CEO and founder of Exonar
The first thing to say is that the telecoms sector is well versed in dealing with legislation, but what they won’t be used to is the extraordinary data mining that GDPR demands. It moves them into strategic AI technology sooner than they had expected, at least at such scale and accuracy.
The GDPR can be neatly summarised as a change of data ownership. Today, if a business collects data on us, they own it to use however they wish. After May 2018, personal data will remain under the ownership of the individual.
The real crux is that businesses have to know where the data is. That’s the onerous part – building a picture of data that’s live, archived and forgotten. The AI technology exists, but it’s knowing how to apply it to your organisation, at scale, and combine it with policy and process review.
Christian Mancier, partner in corporate law and data protection specialist, Gorvins Solicitors
Whilst cyber-attacks resulting in data breaches dominate headlines, the majority of data breaches occur due to human error, commonly as a result of employees simply doing something they should not be doing.
Therefore, staff training and the recording and monitoring of staff training will be a vital aspect of evidencing that your organisation is complying with GDPR.
Employees have to understand the risks to the organisation (both financial and reputation) as well as the risk to themselves (potential disciplinary issues or dismissal) if a data breach were to ruin an organisation’s business.
All training needs to be specific to the organisation concerned, so employees can relate the policies and procedures an organisation has in place around GDPR compliance to their day to day roles.
The more advanced an organisation is along the road to GDPR compliance the lower the risk of breaches occurring once the GDPR rules come into play.
Cigdem Sengul, senior researcher at Nominet UK
With GDPR coming into effect in less than a year, we’ve now reached a critical point for businesses to make the necessary changes. This deadline is particularly important for SMEs and startups that aim to collect large amounts of personal data for disruptive applications. While the regulations provide some leeway to SMEs for assigning a data protection officer, or in their record keeping activities, this is only true if the processing is not likely risk the rights and freedoms of the data subjects, or the processing is not the core activity of the business.
Given IoT has been a major driver for innovation within the tech sector recently, we expect that GDPR will be a serious stumbling block for IoT SMEs and startups. Most IoT applications use personal data to learn our preferences and make our lives easier. Things get even more complicated when some of this personal data is collected as collateral, such as a security camera filming in a public place. Incorporating user consent into such systems will be a complex and lengthy process.
These challenges will only grow with the evolution and added complexities of IoT. IoT businesses urgently need solutions that rely on strong security practices and build on privacy-by-design to meet the GDPR requirements, but most importantly, to gain the trust of their consumers.
The latest Conumer trust eBulletin takes an in-depth look at the business models, regulatory landscape and market drivers that are shaping mobile business through the lens of Consumer Trust.
The eBulletin includes discussion on maintaining a healthy Internet from Chris Riley, head of public policy at Mozilla, a look at the influence of the forthcoming GDPR from senior security & risk analyst Chris Sherman at Forrester as well as a guide to global regulation, market forecasts and much more.