Six months on from GDPR

(Image credit: Image Credit: TheDigitalArtist / Pixabay)

Just last May, businesses in Europe were busy preparing for the General Data Protection Regulation (GDPR) deadline. Despite being aware of the upcoming deadline for two years, many businesses were still unprepared for the new regulation when it went into effect.

Now that six months have passed since GDPR came into effect, TechRadar Pro spoke with Talend’s Senior Director of Data Governance Solutions Jean-Michel Franco to learn more about how the regulation has affected businesses in the EU and what companies can do to ensure that they are GDPR compliant.

This month marks 6 months since GDPR came into force, how are businesses faring in their compliance so far?

According to our recent survey, some 70% of surveyed businesses worldwide failed to address requests made from individuals seeking to obtain a copy of their personal data as required by GDPR, within the one-month time limit set out in the regulations.  

While organisations understand the importance of GDPR, many are still not taking their data seriously in terms of the technologies and processes they have in place. As a result, many businesses are falling short of their GDPR obligations at this stage. A large proportion are lacking the proper methods of storage, organisation, or retrieval of data in line with the regulations’ requirements. In short, compliance is still a worryingly low level.  

What specifically did the research highlight in terms of issues with GDPR compliance?

The research was based on personal data requests made to a total of 103 companies operating in Europe across a number of industries including retail, media, technology, public sector, finance and travel. We assessed responses to GDPR Article 15 (“Right of access by the data subject”) and Article 20 (“Right to data portability”) requests, monitoring areas including GDPR references in privacy policies, and the speed and completeness of responses. 

Were there any striking revelations from the research that suggested certain regions are adhering to GDPR less than others?

Just 35% of Europe-based companies polled, provided data. This includes companies headquartered in the UK, France, Germany, Spain, Sweden, and Italy. However, at 50%, the compliance rate was slightly higher for non-European companies, suggesting that businesses outside of Europe are taking a slightly more proactive approach to GDPR.

How has GDPR affected the relationship between companies and their customers? Are there any sector examples you can give?

GDPR presents an opportunity to engage with customers and build loyalty. It’s vital for businesses in the digital era to have a 360-degree view of customers. Businesses must ensure that data is consolidated and stored in a transparent and shareable way. What’s more, GDPR’s one-month time limit should be viewed as an absolute deadline rather than a target. Our research shows that it is possible for some brands to respond within a day, suggesting that these brands understand fast response times will help boost customer trust.

For businesses in the financial and banking industries, re-establishing consumer trust is imperative. Data protection regulations including Open Banking, PSD2 and GDPR must be viewed as opportunities for the sector, to recover the reputations which were eroded by high-profile data breaches in 2017. These businesses can then build on the basics, to ensure they are providing the highly personalised and predictive services that customers are craving. 

What are the benefits to GDPR compliance that businesses should be championing?

On a more positive and proactive note, compliance with GDPR should mean that companies are now more empowered to use the data they collect to enhance the customer experience, rather than simply to react to requests regarding personal data. For example, smart energy company, Nest, uses customer data to offer a range of smart devices that keep the user informed about energy usage and carbon monoxide levels. Supermarket giant Tesco is currently using the Internet of Things (IoT) to improve its use of data, in order to keep a track of customer buying patterns, adapt to seasonal challenges and remain competitive in an increasingly crowded marketplace. 

Businesses will start noticing that by utilising data to respond to customer needs creates a stronger relationship between the consumer and the brand. An example of this is personalised promotions: something that Paperchase along with Tesco is doing well. By providing value through their interactions with a customer, businesses may find they are more likely to opt-in to sharing their data, believing it to improve their experience and by extension, their perception of the brand. 

Which industries are showing the biggest reluctance to becoming GDPR compliant?

A worrying 76% of retail companies polled failed to respond, while the best performing industry, Financial Services, still only managed a 50% success rate. When drilling down into the results, the research suggests that businesses that started out offline, and those that are hindered by legacy systems, may find GDPR compliance more challenging than more nimble ‘born in the cloud’ organisations.

The vast majority (65%) of GDPR compliant companies took more than ten days to respond and the overall average response time was 21 days. For some, however, the response was much quicker. Of those who responded within the time limit (22% of companies) – primarily streaming services, mobile banking, and technology businesses replied within just one day, suggesting that digital service companies are more agile when it comes to GDPR compliance.

What must businesses do from now on to ensure they are compliant?

Organisations must trawl through their entire data infrastructure to create and maintain a constant, accurate map of their data. They need to pay particular attention when it comes to their third-party systems such as CRM, HR, infrastructures or platforms as-a-service or analytics that are based in the cloud.  

This is especially important as they will then need to assess the GDPR readiness of their cloud provider as a data processor and make sure their contract includes a data processing agreement. Similarly, data controllers need to ensure that they can erase the data from their cloud providers when they stop using the cloud service.   

As consumers will be able to request information on, or the deletion of, all the personal data a company holds about them, the data controller must ensure that they can meet this kind of requirement through their cloud provider. Consumers now hold more power over their data than before and as we’ve seen with the recent complaints against Oracle, Criteo and others, they are exercising it.  

GDPR has enabled the consumers to be more data conscious – in the same way they are more environmentally conscious or health-conscious with their buying habits – and the raise of this new type of behaviour drives better data strategies implementations within organisations. Thus, data governance is becoming the new standard for building or reinforcing customer relationship.  

(Image credit: Wright Studio / Shutterstock)

What effect could failure to comply have in real terms?

Reputational damage, not just regulatory penalties, is shaking firms. Take Facebook as an example. The company did not receive any penalties for non-GDPR compliance; however, the company has lost members in Europe for the first time in history, whilst an increasing number of users are selecting the opt-out feature for personalisation settings. There is no doubt that this is linked to a decline of consumer’s trust in the platform, following the reputational fall out of the Cambridge Analytical scandal. 

Organisations can delay no longer, they must implement the correct technologies and processes to be fully GDPR compliant and ensure trust and transparency. They must take an integrated approach to data governance from creating a single point of control through data cataloging capabilities to the management of data access and portability through data integration and APIs. The approach should also include data quality and data masking technologies to ensure accuracy, reconciliation and protection, as well as governed self-service features to foster accountability. 

GDPR has established accountability and has introduced a significant change in how organisations must approach their personal data management strategy. While GDPR is a regulatory framework, it also promotes best practice and drives businesses to be better and ultimately, more successful. 

How do you think the general quality of data in UK businesses will change in the coming years - will it get better or worse?

Data is at the heart of digital transformation, yet the promise of data remains elusive for many companies. For businesses to survive and succeed in this ever-evolving, expanding and complex data landscape, there is a need to optimally automate every step of the data value chain and enable self-service for more data consumers. At Talend, we help enterprises to dramatically improve how they can organise, process, and share data, which in turn enables organisations to collaborate and innovate on insight-ready data at scale and improve the quality of data across the UK vastly.

Jean-Michel Franco, Senior Director, Data Governance Solutions at Talend 

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.