GDPR: Why we need it and how it affects your SME

Dr Guy Bunker explores the reasons behind why the GDPR is coming into effect and how it’s going to protect your data on the digital streets.

Come May 2018, the way businesses and consumers handle the data they hold will alter profoundly. The one-year countdown to the GDPR is now well underway and with the implementation of the European Union’s most significant cross-border regulation, the chaotic and rapidly evolving data landscape will be brought into line.

Being informed about why it’s coming into play and what the regulation is solving will help both organisations and citizens understand how they should approach data protection, whether this is becoming GDPR compliant or understanding their new data privacy rights.

Organisations doing business in the EU currently work under inconsistent data protection regulations, varying from country to country. A UK-based accountancy firm that sends its sales data to marketing firms in Germany or France would have to understand the different data laws of each individual nation and adapt their processes accordingly, in many cases hiring consultants to ensure it complied with the appropriate regulations.

Outsourcing certain business operations, such as IT systems support, is another common cross-border action. An IT company based in Switzerland, providing systems support across the EU would have to allocate additional time and resources in order understand the patchwork of individual national laws covering processes from handling employee data and customer details to processing payment transactions.

A single, all-inclusive regulation for organisations to comply with will make it easier for them to conduct business within the EU, as well as saving them time and resources. According to EU figures, having a blanket law on data protection will save the market an estimated €2.3 billion (£2.1 billion) annually.

A consistent all-encompassing regulation that reduces demand on a company’s time and resources is not the only factor behind the introduction of the GDPR. PwC’s economic crime survey 2016 revealed that as many as one in five businesses in the UK had not carried out a single fraud assessment in the previous two years.

Despite the fact that fraud and other economic crimes are on the rise, the findings are perhaps unsurprising. The constant flow of data transcending national borders makes adapting to individual laws both difficult and time-consuming. As a result, self-regulation has become almost non-existent, with many businesses paying lip service to the ‘guidelines’ provided by different nations.

However, with the implementation of the GDPR, organisations will have to demonstrate the systems and processes they have in place to protect customers from fraud. With the threat of a substantial fine looming over their heads if they fail to comply, more organisations will take measures to ensure they have appropriate measures in place to protect their customers from fraud and any other exploitation that could occur.

Financial scamming has become an epidemic and according to Financial Fraud Action over a million cases of card, cheque, phone or online fraud were recorded in the six months from January to June 2016 – a 53 per cent rise from the same period in 2015.

Email deception, as well as phone and text-based scams, are the go-to methods of attack for scam artists. The ammunition for these attacks is provided by the almost endless stream of data-leak jackpots surfacing on the dark web that include customer and employee information.

The knock-on-effect on consumer confidence has been damaging. Repeated high-profile data breaches have led more and more consumers to provide incorrect information online. Figures from market research agency Verve revealed 60 per cent of consumers intentionally input false information when submitting personal data such as home addresses, phone numbers, email addresses and company names.

Consumers now see falsifying personal information as their right to protect their privacy. However, it has also led to businesses using invalid data for everything from marketing and sales campaigns to hiring potential employees.

The GDPR will force companies to act on data security, putting in place processes and technology that prevents data breaches and data theft-oriented cyber attacks, and this in turn, albeit slowly, will see consumer confidence in businesses’ online security increase.

As both consumers and organisations will naturally prefer to purchase from, and do business with, a compliant organisation, GDPR adherence will soon be seen as a competitive advantage to wield against rivals.

If self-regulation and pragmatism had worked, there would be far fewer data breach headlines strewn across the front pages of the news and the EU may not have required the GDPR. However, in order to protect its citizens, it needed it.

Even though the GDPR will in many cases require organisations to make significant changes to how they operate, the regulation will ultimately ensure greater protection of individual rights, provide organisations with more relevant and valuable data and bring security and stability to the increasingly complex world of data security.


Dr Guy Bunker is senior vice president of products at Clearswift.


Photo (typing) © Adikos (CC BY 2.0). Cropped.
Photo (EU flag) © MPD01605 (CC BY-SA 2.0). Cropped.