Part I: Speeding Cars: How to Stop Driving Above the GDPR Speed Limit

Part I: Speeding Cars: How to Stop Driving Above the GDPR Speed Limit

With the introduction of the GDPR, the rules of the data privacy road suddenly and significantly changed. Almost overnight, organisations had to consciously think about their proposed collection and use of data, how it could affect their customers, and whether it was lawful and ethical. They also had to suddenly consider whether this data collection and use should even be done at all. The problem is that many companies got so used to processing data how they wanted, that they are now having trouble slowing down. Most companies are driving just above the speed limit when it comes to data protection and privacy: they aren’t going twice as fast as they should be, but they’re not exactly following the rules properly either.

What’s more is that when everyone else is driving fast, we tend to think that we can blend in, and that we can’t be or won’t get caught. The core psychological concept behind this is the theory of deindividuation. This means that in groups we become less aware of our own behaviour, or less critical of ourselves (even if our behaviour is wrong) because we don’t think we can be personally identified. It’s hard to be self-aware and self-critical when you have a false sense of security. This feeling stays until the speed camera goes off, and then you are subject to the full exposure and GDPR penalties that come with your mistakes, which can in many cases be significant, not just financially but also in terms of potential reputational damage.

The challenge that faces the organisation is: How do we unlock data potential to engage in digital transformation and innovation if we cannot collect, share and repurpose the data that will fuel it?


THE CURRENT STATE OF PLAY

Companies in the AdTech, marketing, financial sectors and other areas have mostly settled for what exists now in terms of data protection. Either they:

  • Anonymise data in the hopes of taking it out of the GDPR, losing valuable data utility.
  • Delete the data because it becomes too hard to use.
  • Continue to use the data, knowing or suspecting that their behaviour is not GDPR-compliant.

The third category is what we need to consider: how are organisations acting when they know that they cannot or do not want to comply with regulation? In addition, if they want to comply but they see it as too difficult, how can they get there? If there seems to be no real oversight, why should companies change?

While there are Data Protection Authorities (DPAs) tasked with enforcing compliance in each jurisdiction, it is hard to reconcile country-by-country approaches with the overall rules in the GDPR. The purpose of the in-country DPAs is to act as independent authorities that provide advice and guidance on compliance, promote public awareness, provide information to data subjects, and handle complaints. Their stated purpose under the GDPR is to “protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data.” The rate of fines imposed by these DPAs in each country rapidly ramped up throughout 2019, indicating that they will begin “cracking the whip” a bit more when it comes to GDPR enforcement.

However, some of the reasons why businesses and organisations struggle with compliance are:

  • Anonymisation is difficult to carry out, and even businesses who are trying to do the right thing are failing in some cases. This leaves them subject to GDPR rules, even though they think they have stepped outside the regulatory framework.
  • Many companies have collected huge amounts of data that would give them a competitive advantage, and they are hesitant to lose this.
  • Use of Big Data analytics, AI, ML is now widespread, and provides significant benefits for organisations.
  • Industry practices are slow to change, and companies do not want to be the only one following the rules if it means that they lose revenue or competitive advantage because of it. 
  • There is not enough coherent or clear guidance across the EU (and sometimes guidance varies country-by-country) on how companies can lawfully use data.
  • Even if a company wants to comply, in some cases they vastly underestimate how long it takes to establish robust and effective organisational policies and procedures. 
  • The GDPR is just hard: many organisations don’t know that their compliance efforts are not good enough.


CATCHING SPEEDING CARS

Many organisations have continued with business-as-usual, but have not considered that at some point a greater GDPR crackdown will apply to them.

However, when “speed cameras” have been switched off for so long (inadequate oversight), and then suddenly they are turned on, the processes and systems that are built to handle this are inadequate, because everyone is speeding. Handling thousands of cases of non-compliance puts pressure on regulators, and companies are forced to very quickly rethink their approaches, and re-configure their ethical compasses.

A number of large companies have been caught out by regulators in the past year, which can serve as examples for smaller companies seeing some of the issues. For example, even corporate giants are struggling to comply with the GDPR: in 2018 Google was fined €50 million by the French Data Protection Authority, CNIL. The fine was because Google had not been sufficiently transparent with customers, nor had they provided enough information about how personal data would be processed to personalise ads. In response, Google noted in a statement that they are “deeply committed to meeting ... expectations and the consent requirements of the GDPR.” However, it was also clear that the remedy was not immediately obvious, as they responded that they “studying the decision to determine ... next steps.”

Another large fine was levied against British Airways in 2019, after a data breach left the data of customers exposed. This fine was a record-breaking $230 million from the ICO in the UK, which stated that all companies must take, “appropriate steps to protect fundamental privacy rights.” The breach primarily occurred because of poor security arrangements, which left identifying customer data vulnerable to exposure.

Finally, Pricewaterhouse Coopers was also subject to a fine from the Greek HDPA (Hellenic Data Protection Authority) after they unlawfully processed the data of their employees. The processing was unlawful because they had informed the employees that they were processing under the grounds of consent, when they were actually processing under another ground (contract and legitimate interests). The Greek DPA also noted that the consent could not be “freely given” because of “the clear imbalance between the parties.” 

When these large companies are being caught out, despite the huge resources (legal, technical, and financial) at their disposal, small- and medium-size businesses have a much lower chance of meeting the compliance requirements. 

In addition, when smaller companies see that larger organisations continue to process in a “business as usual” manner, why should they take on the huge costs of compliance when large market competitors do not? The issue that many are facing is that without secondary data processing or repurposing, companies simply cannot compete, and compliance problems loom large. 

When those issues are combined with a general feeling of “everyone else is doing it,” the incentive to comply with the GDPR is low. However, in the past year a large number of actions have been taken by DPAs around the EU, indicating that the speed cameras have been turned on, and a change is coming. The issue is that companies still want and need to make the most out of data, so that they can develop better products, engage on a more personal level with customers, and stay competitive in their industries. Looking at solutions to unlock this data potential will become vital, within the new GDPR rules of the road. 

In Part II of this article we will cover the example of the AdTech industry, and the core solution that Anonos has proposed for shifting towards GDPR compliance in a way that allows businesses to still move fast, but without the potential risks that come with speeding.



Tiffani Brown

Project Architect for moonshot thinkers and doers

5 年

Thanks for this article.? You've made a rather dry and unclear subject thoroughly engaging.? I look forward to Part II as I've seen a desire to comply from companies, but genuine concern of being left behind.? Everyone just wants to know what the real speed limit is!??

Tim Turner

Practical ??+ theatrical ?? UK GDPR & FOI trainer & consultant. Not GDPR certified (no-one is). Available for hire online or in-person. Will supply own props.

5 年

Perhaps worth noting that British Airways haven't been fined; the penalty was proposed, but the ICO then delayed following through with it. Many people think that it's likely that the actual fine will be much lower than the figure originally suggested. In the UK, therefore, the traffic cop might threaten you with a big speeding ticket but then back down. I'm not sure what message this sends.

Victoria Oshodin

Award-winning Creative Director

5 年

Really good read, can't wait for part two.

Omo Osagiede

Security Architect | Security Assurance | AWS | Azure | Program Delivery | Data Protection | Risk Management

5 年

I like the speed camera analogy. You've made many valid points, especially regarding the cost of compliance for SMEs. I'm definitely interested in how AdTech/MarTech companies are dealing with GDPR compliance and keen to see how they innovate. Looking forward to reading Part II.?

要查看或添加评论,请登录

Hannah Ajikawo的更多文章

  • 17 Hard Truths About Pipeline Development (That Most GTM Teams Ignore)

    17 Hard Truths About Pipeline Development (That Most GTM Teams Ignore)

    We need more pipeline. Said every Growth Leader that ever existed.

    8 条评论
  • Building AI Agents Into Your Go-to-Market Teams

    Building AI Agents Into Your Go-to-Market Teams

    The New Reality for GTM Teams The way we structure and operate our go-to-market teams is changing - fast. By 2028…

    31 条评论
  • The B2B Pipeline Problem

    The B2B Pipeline Problem

    Every B2B company shares the same ambition: growth. Yet many struggle with a common barrier - their sales pipeline.

    18 条评论
  • Reflections on 2024: Predictions, Reality, and 2025 Possibilities

    Reflections on 2024: Predictions, Reality, and 2025 Possibilities

    As we close out the year, let’s revisit those bold predictions I made about 2024. Some played out as I thought, while…

    16 条评论
  • The Hidden Competitor That's Stealing Your Revenue

    The Hidden Competitor That's Stealing Your Revenue

    Why do so many deals stall when the problem is clear, the pain is obvious, and the ROI is undeniable? It’s not the…

    12 条评论
  • Is Expansion Part of Your 2025 GTM? It Should Be.

    Is Expansion Part of Your 2025 GTM? It Should Be.

    Deliver First, Expand Later. You can’t grow an account without delivering on the first promise.

    2 条评论
  • 2025 is near: Let's Tackle Your GTM Challenges

    2025 is near: Let's Tackle Your GTM Challenges

    The Challenges Ahead 2025 is almost here, and let’s face it - things are shifting faster than ever. Buyers are…

    5 条评论
  • Is My Prospect Going to Buy?

    Is My Prospect Going to Buy?

    It depends. Here's what baffles me: We spend countless hours training reps on product features, objection handling, and…

    7 条评论
  • Where Do We GROW from Here?

    Where Do We GROW from Here?

    I attended HubSpot’s Grow Europe event on Tuesday, 5th November. It was a Breezy day.

    2 条评论
  • 6 Key Principles To Creating Value

    6 Key Principles To Creating Value

    When you read books, listen to podcasts, attend seminars, or engage in any educational pursuit, you’ll start to notice…

    13 条评论

社区洞察

其他会员也浏览了