The businesses most likely to be affected by GDPR, and how to minimise risk
23rd March 2018
General Data Protection Regulations, or GDPR: it’s a big deal. In short, they are legal guidelines replacing the data protection act, introducing new requirements for businesses holding data.
Some industries will be more affected than others, so knowing how to adequately protect, process and store data is essential.
The implications of a data breach are severe and are likely to be punished by hefty fines. These can be crippling – sometimes as much as £20m or 4% of global turnover. There are also mandatory breach notifications, where companies are required to inform the Information Commissioner’s Office within 72 hours in the event of a data breach.
Any information which can lead to the identification of an individual is data, which means that anything from an email address on a mailing list to surveillance footage from security cameras falling under the remit of GDPR.
As such, a lot of businesses are rethinking their approach to data handling – how they collect it (i.e. with full consent), how they store it and when they should dispose of it. What all businesses are learning is that data is as useful as it is dangerous, so if you want to keep benefitting from holding customer data, following the new guidelines are paramount.
Read on to find out which industries will be most affected by GDPR, and how to minimise your risk.
Finance, healthcare and insurance
Businesses across the financial, healthcare and insurance sectors hold vast amounts of data on individual customers, and GDPR represents an interesting challenge in many respects.
While there is substantial risk associated with holding these amounts of data, there is also great opportunity for businesses to build trust and transparency with customers, particularly in what has traditionally been an opaque financial sector.
According to PwC, the shift to GDPR gives businesses the opportunity to realise this potential. It’s important to work from solid foundations, however. PwC has outlined some of the most important steps that businesses have taken to prepare:
“Data protection is starting to become a market differentiator. Customers expect to be able to trust the organisations they share their personal data with to manage it appropriately. Transparency between (businesses) and customers is key.” – PwC
For businesses where the data held is so inherently personal, the topical opportunity to communicate with customers and tell them exactly how you are using what you are collecting, and more importantly, how you are safeguarding it, is a solid way to build positive repute in your industry.
Knowing where your data is, and minimising data – collecting, storing and using only what you need – are crucial steps in reducing risk and building customer trust.
The way that technology is integrated into business means that significant overhaul may be required, in terms of IT infrastructure and data management, particularly for those working in software and development.
Tech start-ups and other businesses in the sector will need to consider more robust methods of data storage and protection, particularly given that the industry publication, Computer Weekly, reported that 71% of tech start-ups did not correctly encrypt collected data.
The same report cites that 53% of tech businesses contact customers or store their data without consent or correct permissions.
Building your systems so they are totally transparent about collecting consent is an important step in getting ready for the introduction of the new regulation. Correctly storing customer data by encryption or in password-protected folders is, needless to add, vital for peace of mind when storing high quantifies of data, particularly if it is likely to be a target for online attacks.
The retail industry faces some challenges, particularly around the use of CCTV cameras. Footage in which individuals are identifiable is considered data under GDPR, and so the use of CCTV must be considered and reviewed where appropriate (see here for the ICO’s guidance on CCTV).
The amount of data retailers hold is extensive; customer contact details, purchase history, loyalty card use, and so on – could all conceivably be used to identify individuals.
The challenge here is two-fold: firstly, ensuring that consent is given in each instance of data capture, and secondly, the anonymization of that data if it used for things such as customer profiling.
If you are emailing marketing information to customers, you may need to check if they consented to receive this. If they never actively opted in to receiving marketing materials, you will have to request that consent before continuing. Meanwhile, adopting processes such as ‘pseudonymisation’ may help you to continue using data for customer profiling purposes without breaching guidelines.
This data is vast, but similarly to the financial sector, GDPR has been hailed as an opportunity for retailers. Data minimisation and streamlining present the opportunity to improve efficiency in several areas across the business. The work may be arduous to start with, but the returns will be long-term.
In this sector, data analysis has given manufacturers new insights and enabled them to improve supply chains. Access to so much data also means improved procedures to ensure GDPR compliance – particularly if your manufacturing company operates internationally.
The regulation is so extensive that companies which operate outside of the EU also need to meet its requirements. This extends to the exchange of goods between companies outside of the EU with customers in the EU.
While GDPR is a European directive, it is causing waves even in America, where 92% of US companies have committed to spending $1m or more to ensure compliance, according to PwC.
As such, the industry will face compliance challenges regardless of where they are based. Preparation is key to avoiding fines – it applies just as much to contractors and suppliers as it does to individual consumers, so be vigilant.
A report in the industry publication Hotel Owner found that even in early 2018, a third of small businesses were not ready for the introduction of GDPR. In the hospitality sector, this number dropped to just 9% of businesses feeling prepared for the new regulation.
While most businesses are unprepared, some have gone to extraordinary lengths to minimise the risk associated with holding data. Pub company J.D Wetherspoon deleted all customer email addresses which were used for marketing and communication purposes due to not having 100% confidence in the consent gained while gathering addresses.
From a risk management perspective, it’s an extreme (and extremely effective) measure which demonstrates that it isn’t always necessary to hold data, but it’s not one that all businesses should imitate.
Instead, a comprehensive strategy should be the focus. Identify how much data you hold, outline why you want to collect data and make it clear to customers what their rights are when it comes to requesting the removal or erasure of their data.
Measures you can take to improve data handling
Ultimately, GDPR will affect all business which hold data, regardless of industry. You should ensure that the protections you have in place are adequate. Keeping your data protected and in good health is important.
Ensure your procedures and practices are appropriate and adequate. Making sure that you’re on top of compliance across all departments is important, as is staying vigilant.
Audit frequently, cleanse where appropriate, and gain the relevant permissions when it comes to contacting people to ensure proper data integrity. Try to see the upcoming changes as an opportunity to improve rather than an obstacle to the way you currently operate.
For more information and resources on the upcoming changes to data protection law, please see the website of the Information Commissioner’s Office.