Dixons Carphone has just admitted a huge data breach involving 1.2 million personal data records. Yahoo UK was fined £250,000 by the ICO for a 2014 breach. In recent years we’ve seen other major data hacks – and in some cases, major fines from the regulators – involving household names such as TalkTalk, Equifax and Uber.
All this, remember, was before GDPR came into force. The fines for a data breach now could easily reach into the millions of pounds. And perhaps more importantly, each new news story about these breaches thrusts the issue further into the spotlight, and means more people become aware of the potential for disaster.
As a result, there is no doubt that in a post-GDPR world the general public are going to be more privacy-savvy than ever before. Under the regulations, consumers have the right to access the personal data that companies hold on them and can make those subject access requests either verbally or in writing. And, of course, they also have the right to have that data amended if it is incorrect, or even erased entirely.
Currently, as with a lot of GDPR rules, public awareness and understanding of what they are entitled to is fairly low. But, thanks to the increasing noise around data security, that will not always be the case.
Businesses are going to have to brace themselves for a rapidly growing volume of access requests. In the event of a data breach, they have 72 hours to report it to the ICO and it will become known to the general populace shortly afterwards. Once people are more aware of their rights, just imagine the tsunami of requests for access – and requests for erasure – that a major telecoms or banking company would receive in the hours and days following a breach.
What is likely to happen is that the market will start driving standards of data security and privacy. Businesses will need rigorous processes in place not just to handle the occasional access request, but the flood of enquiries they’ll receive after a data breach.
If they don’t, they will simply compound the appalling publicity of the breach with equally awful publicity about how they handled their customers afterwards. Trust is going to be one of the foremost currencies of businesses in the 21st Century, and those that fail this test will not be long for the world.
The company-customer relationship is going to transform in the wake of these new regulations. How organisations manage access and other rights is an opportunity to strengthen employee and customer lifecycle management, rather than just a compliance obligation.
In fact, privacy should be viewed as an opportunity to build trust and successfully compete for personal data rather than simply avoiding a fine. The regulation in this area represents nothing more than the minimum standard to operate.
What’s increasingly evident is that GDPR is more than compliance – it is a real opportunity to drive ROI, but only when managed correctly. To find out more, please contact us at +44 (0)20 3582 5055 or get a demo here.