June 4, 2021

GDPR is 3 – What have we learned?

Last week, the General Data Protection Regulation was three years old. If we think back three years to the weeks and days leading up to the 25th May 2018, our inbaskets were filled with email asking us to read privacy policies, Sales and Marketing teams were in meltdown that they were about to lose all the contacts on their data bases, and the threat of fines of 4% of revenues seemed to dominate headlines.

The 25th May came and went … and the world continued to turn. So, what’s happened since 2018?

To quote the Information Commissioner, ‘Privacy is a journey and not a destination’. Yes, there have been some headline-grabbing fines – Marriott, British Airways, Google to name a few but here at Risk Evolves we believe it’s the activity behind the headlines that we as business owners should consider.

The world of data privacy is a maturing one and is an important Board agenda item that every organisation regardless of size or sector should prioritise. When working with clients, we’ve seen a change in behaviours at every level. For example, we’re seeing procurement questionnaires asking not just for clarity on information security, but expansion to include an assessment on the organisation’s ability and credentials to process the personal information.  We’ve seen a significant increase in Data Subjects (whether they be from members of the public, applicants for job roles, former and existing employees etc) exercising their rights to access their data or to ask for data to be deleted. We’ve witnessed organisations needing to certify to schemes such as Cyber Essentials or International standards such as ISO27001 and more recently, ISO27701.

We’ve seen an exponential increase in data breaches whether these are accidental eg. someone sending an email to the wrong person, or deliberate. A very small number of breaches have been caused by employees taking data with them to new employers, many more are as a consequence of cyber-attack.

In April 2020, IBM reported a 14000% increase in the number of phishing attacks against the organisation – the threat is constant and cannot be ignored.

Smaller organisations are deliberately being targeted by ever more resourceful criminals, with business email compromise, invoice fraud and ransomware the favourite tools of the trade.  As a consequence, and with an increase in claims for compensation for individuals who have been victims of data breaches, we’ve seen the cost of insurance increase to reflect the hardening of the market, with Hiscox withdrawing completely from the cyber insurance market for Education and Charites.

Looking beyond the business environment, we’ve witnessed pressure groups such as NOYB increase their focus and challenge on the enforcement of legislation, including just this week the first of 10,000 letters of complaints being sent to organisations on the misuse of cookies on websites.

Many of the changes and challenges that we’ve supported customers with have been reactive to events – a procurement requirement, a cyber-attack, a receipt of a subject access request.  But what about the proactive?

For a smaller percentage of organisations, we’ve seen recognition and acknowledgement that data adds value to their business and therefore it needs to be treated as a critical asset. They’ve recognised the importance of data hygiene, understanding what data they have, how it’s used and protected, who it’s shared with. They have the vision to realise that when on the mergers and acquisition trail and wishing to learn the lessons of the Marriott breach, due diligence is required to ensure that data is an asset and not a liability.

Data as an asset? According to a recent Forbes article, American Airlines and United Airlines both discovered that the value of their data was worth more than the value of the company. United’s customer data was valued at approximately $20bn, while the market value of the business was around $9bn. American had a similar experience, with data valued in excess of $20bn with the market value around $8bn.

Despite the UK’s departure from the EU, the UK GDPR and the UK Data Protection Act remain in force and with future changes expected later this year, we know that privacy rules will continue to evolve in the UK.  Across the globe, we’ve seen changes in data protection legislation – Switzerland, India, Dubai all has new legislation with more countries implementing changes in the coming few years. As new technologies such as IoT devices and Artificial Intelligence become ‘mainstream’, expect more focus on how data is captured and shared.

According to IBM, 90% of the world’s data has been created in the last two years. Therefore, Data Privacy is here to stay. For those companies who want to differentiate themselves in the market, now is the time to be leaders and not followers in how their organisation collects, manages, stores, processes and shares data.

Need more help?

Whether you’re a Data Controller, a Data Processor or both, the companion blog Who Does What in GDPR? will help you check you’re doing all you can to boost compliance and put your customers’ minds at rest.


See more content from Risk Evolves here.

Newsletter Sign Up

Newsletter Sign Up

Get regular insights direct to your inbox.