Spencer Montagu

It’s been eight months since the EU’s General Data Protection Regulation came into enforcement. This data privacy monster shook not only organisations in EU member states but also those in countries around the world who collect and process EU citizens’ personal data.

Businesses of all shapes and sizes scrambled to gain some semblance of compliance before May 26th 2018 turned over, to prove that boxes had been ticked and have something to show customers and auditors in order to defend against the potentially massive fines which featured so much in the GDPR discussion regarding data breaches.

Was this your company’s response?

If so, 2019 needs to be the year that you go deeper with data protection design. Likewise, if you’ve yet to even get started with GDPR compliance, it’s time to get moving.

Obvious compliance

A lot of companies went for the minimum, visible compliance. GDPR disclaimers in emails, website cookie notifications, data privacy preference centre pop-ups, and the like, shouted a business’s consideration of people’s consent. Some went further with database clean-ups for good measure to get rid any information that could be considered a violation.

Then with these things out of the way, it was largely back to business as usual. It seemed like that was enough. However, while doing the bare minimum to begin with was perhaps a viable strategy in terms of cost and efficiency, it is fast become an unsustainable, and risky, approach to managing personal data in a business.

Things are changing.

Slow beginnings

Where were all the massive fines we were expecting to hit headlines? Why haven’t we seen companies get hit by the full €20 million or 4% of global revenue demand yet?

2018 was all about implementation. Harmonisation with national laws as well as agreement on what constitutes acceptable industry standards for compliance are still making progress. Many questions still remain unanswered with regards to legal interpretations.

Simply, with the scope of GDPR being so pervasive, the number of individuals it protects being so vast, and given how many companies there are in the world dealing with EU citizens’ data, enforcement has been slow to start because of scale, lack of clarification and anticipation of precedent. As a result, there have been few cases making it to court based solely on GDPR violation.

Businesses could be forgiven for being complacent so far. On the surface, things appear relatively calm compared to the kind of threat that was promised by content everywhere on the run up to the May 2018 deadline.

Yet beneath the surface, things are beginning to bubble.

Rising complaints, ongoing investigations and growing awareness

The truth is, complaints about data privacy breaches have increased since GDPR came into force. In the UK alone, the rate more than doubled. People are becoming far more aware of their personal data rights, the practices of brands and organisations, and the seriousness of cyber attacks.

Big publicity scandals such as the Facebook/Cambridge Analytica story did impact upon people, even if the punishment for their transgressions have so far been paltry. Facebook’s reputation took a serious hit and continues to be hit by revelations, spurring a great deal of digital enlightenment in the general public and harder questioning of who has their data and what it’s being used for.

Likewise, large scale hacks draw headlines and panic as T-Mobile, Superdrug, Ticketmaster and British Airways found out last year. People want assurances that those who have their data are taking the utmost care of it.

Serious enforcement of GDPR will be the next shockwave for businesses and their level of compliance measures. With this in mind, it’s worth remembering that there are several big investigations still underway, including the Information Commissioner’s Office enquiry into Marriott. With over $915m on the line, the results of this multi-national investigation could be the precedent that wakes up businesses if a fine is fully enforced.

Widen interpretation and plug your leaks

2019 looks set to be different with regards to data protection. The grace period is coming to an end and resources for data protection governance are mushrooming. This means things are getting serious and not just for the giants.

If you’ve followed the crowd with a thin level of compliance with GDPR, or you think your business could do with a more thorough review of data management after getting by on anonymity, we recommend broadening your level of privacy design and get a review underway.

At Bluprint, our work with global brands on their data management technology and practices has taught us where to look for potential data breaches that often slip by unnoticed and how best to tackle them.

Here are two classic examples of data leaks to watch out for:

  • Vicarious Personal Data collection - When it comes to Personal Data, collection and processing can only take place when you’ve been given explicit consent. Issues arise when the data in your collection fields actually fits the criteria for what are now referred to as ‘special categories’. In these categories, it’s important to think about what the data can reflect in terms of things like health or sex life, political opinions, genetic data, or religious and philosophical beliefs, and more. Personal Data can slip through consent procedures without you realising. For example, collecting data about dietary requirements could not only fall under data concerning health, but could also contribute towards information about racial and religious categories in some cases.
  • Overlooked data processors - Another important leak you need to actively look for is any instance where Personal Data is being processed by another party. Suppliers, agencies, software vendors and even seemingly small apps all need to be tracked down and mapped out if they are processing your EU citizen data. It’s especially vital if any of these processors fall outside the EU and therefore may not be as stringent with their compliance. In the end, it is your responsibility to control who is doing what with the data individuals have consented to give you. You may be surprised when you find out just how many parties are coming into contact with it and how they’re using what you give them.

Check your data management health

Concerned about the state of your GDPR compliance levels? It’s time to get serious. Speak to us about a full review and together we’ll plug the leaks that could risk sinking your business.

Contact us at: