Regulation is core to our lives: some rail against it, while others see it as enabling trade on mutually agreed terms. For some, it’s red tape that stifles innovation, while others see it as offering essential consumer and business protections, with standards forged for all.
Which side of the fence are you?
Europe’s General Data Protection Regulation (GDPR) came into force last May, and has been absorbed into UK law under the Data Protection Act 2018 – 20 years on from the previous version of that Act.
In January, Jonathan Bamford, Director of Strategic Policy (Domestic) at the UK Information Commissioner’s Office (ICO), told a government GDPR conference in London that there had been a 93 percent year-on-year increase in enquiries to the ICO in the eight months since GDPR came into force. At the same time, there had been a 94 percent surge in the number of complaints about data protection breaches.
On average, one-third of these complaints will be upheld, he said. And with 43,000 complaints between May 2018 and January alone, that represents a lot of companies contemplating fines and warnings from the regulator.
So what do businesses think? A NetApp survey published this week found that IT decision makers across the UK increasingly believe that data regulation can positively impact their commercial operations.
This reinforces the point made by a number of reports last year, including from Capgemini and IBM, that companies should regard regulation as an opportunity to build customer trust, and not as a drag on their businesses.
Indeed, Capgemini’s May 2018 report went as far as saying that consumers will actively punish companies that fail to put data protection centre stage.
According to NetApp, more than half of organisations (53 percent) now say that data regulation has either had, or will have, a positive impact on their business, while just 18 percent have either seen or anticipate negative impacts. Those figures are encouraging, but they hardly represent unity.
That said, an April 2018 NetApp survey found that only 30 percent of UK IT decision makers said that GDPR would improve their competitive advantage, so at least industry sentiment appears to be moving in the right direction.
In the latest NetApp survey, a clear majority of UK companies (68 percent) said that their level of concern for data privacy has increased since GDPR implementation – which is hardly a surprise.
But there is another issue on the horizon: Brexit. While many are tired of hearing about it – and businesses are grappling with uncertainty more than known impacts – data sovereignty is part of the challenge of the UK withdrawing from the single market.
According to NetApp, many companies have turned their attention to this problem. In the UK, 66 percent give ‘major’ to ‘some’ consideration to data sovereignty when preparing for Brexit, according to the survey.
Nearly half of UK companies (47 percent) think that their Brexit-related data sovereignty concerns will eclipse their pre- and post-GDPR worries, and nearly one-quarter (24 percent) think they will be the same.
At the same time, UK businesses are divided about the impact of data sovereignty on targeting customers in EU jurisdictions. Less than half of UK companies (44 percent) say that data sovereignty has not affected EU customer targeting, while one-third of companies say that it has.
However, many UK companies are still unclear on how they should prepare for Brexit from a data management perspective: 19 percent say that they have either given no or little consideration to it, or don’t think that they need to look at data sovereignty at all.
Those companies are wrong.
At the GDPR conference in January – hosted by Westminster eForums – the ICO’s Bamford made a troubling revelation. According to him, the ICO has seen many organisations get to grips with the basics of data protection for the first time, thanks to GDPR. The implication is that many had been completely unaware of their obligations under previous UK laws, such as the Data Protection Act 1998.
This may seem like a step in the right direction, but Bamford warned that many decision-makers now believe that data protection is simply about GDPR compliance. As a result, much of the ICO’s current role is guiding companies through the rudiments of data protection that they should have grasped 20 years ago.
So what problems might Brexit cause in data protection terms? One challenge is organisations not knowing where their data is. Many cloud platforms host services in EU data centres, and organisations may simply be unaware that their data isn’t in the UK.
Crashing out of the EU without a deal could create serious problems for all such companies – especially as the chances of there being a data adequacy agreement in place by the end of March are slim to zero, suggested Bamford.
Zoe Rowland, Head of Data Governance at Cancer Research UK made an equally worrying admission. Some of the charity’s data is held on the continent, she said. As things stand, the organisation will probably be able to send data to Europe after a no-deal Brexit, but won’t be able to get it back.
Just to emphasise: that’s the Head of Data Governance at the UK’s biggest charity, which prepared itself well in advance for GDPR and made it a central tenet of its operations. Rowland added that she hoped some of the bigger cloud platform providers, such as Microsoft, are considering what their clients can do in these situations.
When an industry expert in one of the UK’s most significant organisations is hoping that cloud providers will sort out the mess, you should take note.
Martin Warren, NetApp’s Cloud Solutions Marketing Manager, EMEA, had this to say of the situation this week: “The uncertainties around Brexit affect companies in numerous ways, including in their data management preparations. It is therefore encouraging to see many UK businesses already focusing on data regulation and privacy.
“While this is partly driven by legislation and specifically the GDPR, there is now also a better understanding of how data regulation positively contributes to the commercial success of an organisation.
“As more details around Brexit emerge over the coming months, the best course of action for companies is to continue to build solid data protection and data governance processes, to ensure compliance with current legislation, and preparedness for any future developments.”
Good advice – but easy to say. According to the ICO’s Bamford at January’s conference, many UK organisations have only the most rudimentary understanding of data protection – and that’s largely thanks to GDPR.
So hold onto your hats in March, everyone. And find out, today, where your data is.