It may be 2017 and we may still be hurtling through the knowledge revolution, but when it comes to data, our digital lives are governed by analogue laws. That is until May 28th next year.
Few businesses exist without handling customer data in one shape or another. Oddly though, the relevant regulations predate the emergence of the cloud or even the smartphone. The poor old 1998 Data Protection Act was probably outdated before its ink even dried.
The new framework – the General Data Protection Regulations (GDPR) – is an EU initiative four years in the making. It’s been claimed that the new approach, which gives citizens more say over their personal data, will save EU businesses €2.3 billion a year. Businesses, however, have been more concerned about the new administrative burdens and the eye-watering penalties which may come crashing down on those who adopt a cavalier attitude towards customers’ personal data.
At present the Information Commissioner can impose a £500,000 fine on firms for a data breach. Under GDPR this will be up to two per cent of turnover or €10 million, whichever is higher, for infringements of the code of practice. If there’s an actual breach of personal data, the penalty is up to four per cent of turnover or €20 million, whichever is higher. That should be enough to focus any firm’s attention on compliance issues.
It’s hard not to look beyond the downside of new regulations – and I would urge anyone who hasn’t done so to check out the Information Commission 12-point plan on how to get GDPR ready. There’s much more documentation and pro-active consent required from customers about how their data is used (no more pre-selected online tick boxes). You’ll need to explain the lawful basis on which you process data, be more transparent and store information in a way which is easily portable to other organisations when the customer moves on.
Customers will also have the ‘right to be forgotten’ which means that firms will need processes in place to delete info on former customers. The definition of what constitutes personal data has also been expanded to include IP addresses and cookies.
On a personal level it’s hard to argue against the regulations – who wouldn’t want the right to know what information an organisation holds about them or to what purpose it is put? As a business owner, I’m less keen on the administrative burden or the enforcement process, but there are opportunities as well.
As the Information Commissioner, Elizabeth Denham, has said, this is a “carrot and stick” approach, but for businesses which embrace the new regime, she is surely right to also call GDPR a “real business benefit.”
Evidently businesses which understand their customers and their market tend to be successful. Those who don’t invariably fail and die – and corporate history is filled with examples.
For that reason firms should embrace GDPR. Not only will it help restore customer confidence in how companies use their information, it will also give business greater scope to tailor products for customers.
This is particularly relevant to insurance which relies upon assessing risk; better data holds out the prospect of lower premiums for those who take steps to reduce their risk. Business (and customers) may be irked at the new administrative requirements, but GDPR is a long overdue overhaul of our data protection laws.
Michael Blaney is managing director of the Autoline Insurance Group (www.autoline.co.uk)
