While the UK frets about Brexit, the rest of the EU has turned its attention of GDPR – General Data Protection Regulation – and what it means for the digital business world that has build itself on, well, data. Paul Skeldon finds out what GDPR is and what it means for the industry
Data, it has long been said, is the new oil. In the digital age, most businesses, merchants and brands function because they have invested a vast amount of money in collecting user data. But, while that was a key strategy for building business, it could all come crashing down in the next 12 months.
Why? Because of the forthcoming General Data Protection Regulation (GDPR) – and the UK’s equivalent, post Brexit – could force many of them to delete vast swathes of it.
The basic premise of the GDPR is to make it more transparent for consumers to see what data a company has on them, as well as introducing a new fines regime for those that breach it. The idea is to protect consumers from brands that may misuse their data, but also to help them manage how the data that they may allow to be stored is actually put to use.
If you are wondering if you will be impacted by the new legislation which comes into force on 25 May 2018, ask yourself if you are already subject to the existing 1995 Data Protection Act. If you are, the GDPR will impact you.
The question, of course, is how?
Elizabeth Denham, the UK’s information commissioner, who is in charge of data protection enforcement, says she is frustrated by the amount of “scaremongering” around the potential impact for businesses. “The GDPR is a step change for data protection,” she says. “It’s still an evolution, not a revolution”. She adds that for businesses and organisations already complying with existing data protection laws the new regulation is only a “step change”.
GDPR will not only require companies to pull together data so consumers can easily see what data about them is stored and where, but it will also give consumers greater access to the data. At present a Subject Access Request (SAR) allows the brand or data ‘owner’ to charge consumers £10 to access the data. This is being scrapped.
Under GDPR, when someone asks a business for their data, they must stump up the information within one month. Everyone will have the right to get confirmation that an organisation has information about them, access to this information and any other supplementary information.
Brace for impact
And it will have an impact. A study by OnePoll in the UK found that almost half of UK consumers plan to exercise their new rights over their data when GDPR comes into force. It questioned 2,000 UK consumers between May 24 and 26 2017, and found that 48% planned to wield their new rights over personal data. A third (33%) said they would exercise the right to have their data removed by retailers, while 33% would ask retailers and brands to stop using their data for marketing purposes.
Almost one in five (17%) said they would challenge automated decisions made by retailers and 24% said they would access the data that retail companies hold about them.
And this is the challenge: “The problem is that GDPR demands in effect a single view of all customer information – and that means pulling together data from multiple diverse systems, a task deemed too expensive and too complicated to be justified only for a compliance exercise,” says Peter Ruffley, Chairman at Zizo.
But Ruffley sees it as a massive opportunity for businesses, rather than a disaster. “This single view is something that retailers have been demanding for years; a trusted, accurate information resource that could and should underpin digital transformation initiatives. So why shy away from this opportunity? GDPR is about data – and that data is owned by the business. With the right approach, GDPR can actually unlock the door to vital digital transformation projects and define corporate strategy.”
There is another upside too, stresses Purple Wifi’s Gavin Wheeldon. One of GDPR’s headline rulings, the introduction of ‘unambiguous consent’ before users’ personal or behavioural data can be used for marketing purposes, should be something that makes things clearer and better for consumers and gets rid of many of the scams that blight industries such as telemedia – and, he says, should be implemented across the industry now rather than waiting for 2018.
Demonstrating how important this is – and throwing a whole new light on Ts&Cs and the need to protect consumers, Purple conducted an experiment. It added in a clause to its wi-fi Ts&Cs that would require users to, at Purple’s discretion, clean portaloos at local events, paint snail shells, remove animal waste, and hug stray cats and dogs – and 20,000 people still signed up.
The company says the results highlight the importance of GDPR in bringing fairness and trust to the digital economy. Chief executive Gavin Wheeldon said: “WiFi users need to read terms when they sign up to access a network. What are they agreeing to, how much data are they sharing, and what license are they giving to providers? Our experiment shows it’s all too easy to tick a box and consent to something unfair.”
For further information
See the GDPR session in the Spotlight Sessions at World Telemedia Marbella 9-11 October