Are UK businesses sleepwalking into data disaster?
Let’s face it, data protection isn’t the sexiest subject in the world and companies have a lot of other issues to think about. When did your senior Board last discuss the subject and what would it take to get it onto their agenda?
Sitting down with my partner Jenny Moseley to discuss our session at the forthcoming DMA Data Protection 2014 summit on the subject of “How to make data protection a priority in your company” we came to the conclusion that many organisations are behind the curve.
Last year a survey commissioned by the Information Commissioner’s Office (ICO) found that 87% of UK firms cannot estimate the likely costs of the draft EU Data Protection Regulation to their business. A year on there is possibly more awareness (thank you Mr Snowden!) but few businesses have undertaken impact analyses to understand what it would mean to the bottom line.
David Smith Deputy Commissioner and Director of Data Protection at the ICO (also on the programme on March 7th) has already gone into print about the importance of the Regulation, “What is crucial… is that whenever these reforms happen, we get the detail right: the law we are working on today needs to be fit for tomorrow and beyond.” he wrote in the ICO blog. For certain, the grindingly slow progress of the reform has not helped keep it top of mind with businesses, few of whom have the time (or inclination) to keep up with the “battle of the texts” which has been going on in Brussels.
However, it is not just the draft Regulation that will have an impact. The downward pressure on revenue from reducing permission levels – as consumers hold back on providing personal data – has been a trend for some time (our session will feature brand new consumer research by Fast.MAP conducted specifically for this event which will underline the problem). But the business leaders we talk to are often unaware of increasing opt-out rates; perhaps marketing departments are wary of sharing the bad news and, because customer data is rarely a balance sheet asset, nobody else is paying attention.
When it comes to investment in data protection, businesses all too often throw money at information security and believe they have done their bit. However, repeatedly research shows that it is the human factor which, more often than not, contributes to data breaches. Lack of training and awareness amongst staff about the need to protect personal data can be toxic leading to painful lessons and brand damage when a breach becomes public.
So, what’s to be done to persuade businesses to give data protection more priority? Well perhaps it is time for some home truths.
- Our competitors are doing it better
- Our opt-out rate is going ballistic and our data complaints are escalating
- If our response rate was as high as our unsubscribe rate we’d be rich
- We’ve got data in 25 different databases and most of them haven’t got permission fields
- We could be leaking data like a sieve and nobody would even know
If any of these statements rings true it’s time to act, after all, the bar is only going to get higher.
Published November 2014
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.