Like a monster storm pounding islands and coastal areas in hurricane season, a storm of another kind has been sweeping across the EU and beyond. It has spread chaos in its wake, as companies have raced against time to prepare for the General Data Protection Regulation (GDPR), attempting to ensure GDPR compliance before the deadline.
The GDPR legislation was developed over years of proposals, provisions, and approvals, with final adoption by the EU in 2016. Now, in 2018, GDPR has come into force with a bang. Like with any calamity of magnitude, there are those who saw it coming and were ignored and ridiculed. There were those who were presented with the facts of the GDPR regulation, but chose to put their heads in the sand, and there were those who recognised the danger and took steps to prepare for the worst. There were also many more who simply took notice too late, not fully appreciating the full impact of ‘Storm GDPR’. Now, these businesses may be faced with large GDPR fines as a result.
What is Storm GDPR?
GDPR legislation fundamentally changes the rules of how a business engages, interacts, processes, transfers and stores personal identifiable information or data. The GDPR data protection regulation changes the balance of power, taking it from commercially-driven ‘big business’, giving it back to the individual. Businesses can no longer target customers with online attention, marketing materials or sales calls - unless they have freely and unambiguously given then permission to do so. Businesses are now required to have the right legal basis; be transparent on what personal data they process, transfer or hold; be able to provide personal data upon request; and report any data breaches within a 72-hour period to the local regulator.
What do 2018 GDPR changes mean for middle market businesses?
The force of Storm GDPR may feel like a burden, however, it is an opportunity to reimagine business models for a data driven age. The GDPR’s principle of ‘data privacy by design’ is a challenge to businesses to leave behind models that rely on the blanket collection of data in search of new, more targeted approaches. With the correct GDPR training, many businesses can see GDPR legislation as a positive.
The rewards are significant and lucrative if compliance is done right including: reduced reputational risk, lower operational costs and greater protection from cybercrime. It is also an opportunity for middle market businesses to strengthen the way they and their customers interact with one another. After all, no one likes to feel that their privacy is at risk or that their details are exploited for unwanted marketing emails. In this way, GDPR could have a positive and cleansing effect on businesses and consumers alike if responded to as an opportunity, making future engagements more meaningful.
Tracking Storm GDPR
Over the last year, RSM surveyed over 750 middle market businesses, both inside and outside of the EU, to assess the key issues facing the middle market and to look at how companies planned to navigate their way through the eye of the storm. We surveyed five different geographical regions, including North America, Europe, Africa and Middle East, Asia Pacific and Latin America, and asked them three fundamental questions:
- Where are you on the road to GDPR compliance?
- What would you expect to be your biggest hurdle for GDPR compliance?
- Where has your organisation performed a risk assessment?
The survey results
What was clear from our series of surveys was that businesses all over the world were exhibiting apathy, confusion and often panic, with many wary of GDPR fines. As Storm GDPR approached, some of the key findings were:
- 71% of US businesses were not sure if the GDPR applied to them
- Nearly half (48%) of all of European businesses had not done any form of privacy risk assessment
- Only 25% of African/Middle Eastern companies had recognised the need to prepare for the GDPR
- Only 11% of Asia Pacific businesses had begun initiatives towards the GDPR compliance
- Only 18% of Latin American businesses had initiated projects towards becoming compliant with GDPR.
As we assessed the survey responses, we asked some of our international experts about the journey they have taken clients over the last year, and discussed the key issues that businesses are facing now that Storm GDPR has hit their regions.
Read more from our regional experts in:
The impact of GDPR legislation
Storm GDPR has impacted businesses across all regions of the world and by no means does the middle market have everything in place to respond to this new privacy challenge. The long-term effects of Storm GDPR are yet to become clear. What we do not know is how this legislation will become enforced legally and what the consequences of any breach will be. We’re also unaware of the scale of any potential GDPR fines for these breaches. GDPR may be a universal law for the European Union, but that doesn’t mean it will be applied equally and approaches to enforcement may vary significantly across 28 different European countries. Precedents are yet to be set.
It will also be interesting to see if the legislation genuinely yields the positive benefits to consumers in terms of data protection that were intended or if, in practice, the legislation merely creates a heavier compliance and governance burden on business. Only time will tell if it will have real impact on the ground and exactly what that impact will be.
For more information on the GDPR legislation, and advice on any relevant GDPR training, please contact us.