Following the introduction of the General Data Protection Regulation in 2016, a two-year transition period was granted before enforcement begins on 25th May 2018. During that time, any organisation involved in the processing of personal data needs to review its strategy, policies and procedures for compliance. At the same time, consumers will become aware of a new set of rights which they have been granted by GDPR.
DataIQ undertook a twin-track research project to examine both sides of the data-value exchange in the light of these new obligations and rights. Research has been carried out in two waves in 2016 and 2017 allowing for year-on-year comparisons. The project had three key objectives:
The research was built around four key areas of data protection and privacy management: permission (the consent requested and granted for data use), personal (the use of trackers and identifiers to personalise content and services), preparation (the standard to which data needs to be held in order to be effective and how this is recognised by consumers) and protection (the effort made by companies to keep sensitive data secure and the expectation of individuals that this will happen). Results from the research are presented in a series of four white papers, each of which looks at one of these areas. This whitepaper specifically focuses on the research segment conducted by DataIQ, in association with DQM GRC. It looks into the issue of how consumers expect their personal information to be protected and their experience of data losses, as well as what businesses do to ensure they have data protection at the heart of their data strategies,
Christine Andrews, Managing Director, DQM GRC
The General Data Protection Regulation (GDPR) will replace the existing Data Protection Directive on 25th May 2018. This law has been designed to protect the Personally Identifiable Information (PII) of European Union residents as a “human right”. The punitive measures for non-compliance have been well documented and have sadly generated most of the headlines when, in fact, much of what is proposed under GDPR is already in the current Data Protection Act (DPA) - just updated for the digital era.
Securing personal data has always been a principle in the DPA, but GDPR does go further in suggesting the types of controls organisations should consider and, in particular, there is a “call out” for ensuring companies have a process for regularly testing, assessing and evaluating the effectiveness of the measures in place to secure personal data. There is likely to be little sympathy for companies who do not encrypt data, especially on laptops and in data transfers.
PII protected by adequate encryption when lost or breached may be considered “safe” and exempt from the notification requirements of GDPR. Furthermore, the regulation proposes the pseudonymisation of PII as a means of replacing personal identifiers where possible.
While security certifications are not a direct requirement of GDPR, the overlap in terms of the controls within ISO 27001 and the Articles in GDPR is considerable and it is possible that, ahead of whatever approved certification eventually emerges, security certifications may well be a prerequisite. So, getting ahead of the game may well prove a useful step. In any event, the structures and disciplines IS0 27001 mandates are very relevant and provide an essential backbone for overall PII data security.
This report highlights that, while levels of awareness among consumers about data privacy legislation may be fairly low currently, this will change as the volume of individuals who have already experienced some form of negative data experience rises. Consumer trust in a company’s brand is closely linked to how well they protect and secure customers’ data. Companies who don’t take heed of this risk losing a great deal.
Consumer attitudes towards sharing their personal information have become significantly more positive - for every one person who says they prefer not to share (the Cautious, 36%), there are two who are either happy to if the need is explained (the Rational, 42%) or are happy to share if they trust the company (the Trusting, 21%). Last year, half said they would prefer not to share.
Only one in ten consumers (10%) say they are fully aware of a new law that will protect their data and grant them new rights over it. By contrast, six out of ten are only vaguely aware (24%) or not aware at all (38%). Education about GDPR will take some time to shift this position.
There has been a big year-on-year rise in the number of consumers making use of ad blocking software (up 8% to 41%) or using the browser option to stop seeing ads (up 10% to 41%), while 28% are using private browser settings (up 5%). This reflects a desire for more control over online data sharing which GDPR is intended to support.
How consumers expect their data to be protected currently is ahead of existing best practice, but in line with GDPR - 74.3% want their data encrypted where possible. They also expect technical protection such as up-to-date firewalls and security software (63.9%), limits on access (59.4%) and access monitoring (57.8%).
Building consumer confidence that their personal data is safe requires a blend of transparency, data security tools and brand status. Half of consumers (51%) are reassured when the company provides clear information on why they need the data - something GDPR also mandates.
If GDPR is intended to reassure individuals that their data is being kept safe, it may take some time for that message to convince - four out of ten (39.7%) worry that their data may not be safe, while three out of ten (32.8%) believe some of their data is safe, but not all. The positive indicator is that those consumers who are fully aware of GDPR have higher levels of confidence in data protection.
Six out of ten consumers have now experienced some kind of problem with their personal information, with a 4% rise in both web sites they use being hacked (up to 25% in 2017) or their account being hijacked (up to 18%). Despite the rise in these criminal activities, 8% still claim they might not notice if something happened.
Awareness of GDPR continues to rise among businesses with half (50%) now very conscious of the new Regulation and 36.3% somewhat aware of it - a combined rise of 7.3%. The proportion who are very prepared has doubled to 14.6%, while the number who are not at all prepared fell sharply from 8% in 2016 to just 1.9% in 2017.
One in six companies (16.5%) now rate themselves as Advanced in their adoption of data and analytics. This is a significant rise since last year, although overall, there has been a slight softening in self-confidence. Perhaps as the full implications of GDPR compliance are realised, so, too, are the gaps in processes and preparedness.
processes and preparedness. Funding for data governance, likely to cover GDPR programmes, is now being led by the Board in 36.3% of companies. Up from 23% in 2016, this shows just how seriously the issue is being taken by more organisations.
While three in ten organisations (29.6%) report on data breaches and losses at a company-wide level, there are still three in twenty (14.1%) who do not track these at all and this number has doubled since last year. Reviewing processes ahead of GDPR may have revealed this as a gap, but it is one which needs to be closed rapidly.
A wide range of processes is being reviewed for their compliance with GDPR, led by in-house privacy notices (43.6%) and in-house permission statements (38.7%). While retention policies are ranked third overall (36.7%), they are the first area of focus for companies who are very prepared for GDPR, reflecting the challenge of the new right to be forgotten.
On average, it takes organisations just under six months to change a data process. With the number of processes that might need to be adapted for GDPR and the countdown to enforcement in May 2018, pressure will steadily increase on those yet to start or who need longer.
Suffering a data breach or loss would be expected to have a very significant business impact by 26.8% of companies and some impact by 38%. Yet despite consumer fears about the safety of their personal data, 26% of companies do not think there would be much or any impact if it happened to them.
With enforcement of GDPR, new rights for consumers will move centre stage. Transparency, consent, control will combine to make the balance of power in the data-value exchange more equal. The good news for organisations that rely on personal information is that, even in the last 12 months, attitudes towards sharing data have become significantly more positive. For every one consumer who prefers not to share personal information, there are now two who are happy to do so in the right circumstances.
Under GDPR, organisations that are unable to make clear their legitimate interest in processing data have to gain informed consent - difficult when half of the population in 2016 (49%) were starting from a position of caution. But by 2017, there has been a 40% drop in the number who hold this attitude, leaving just over one-third (36%) in the Cautious segment.
Two-thirds of those who have changed their minds are now Rational about sharing personal information - 42% will do so if the need is explained, up from 33% last year. One-third have migrated into the Trusting group, creating a 21% segment who are happy to share if they trust the company, up from 16% in 2016.
For GDPR to have the effect intended by its architects, consumers will need to take advantage of the rights it grants them. That will require awareness and education - but the existing base is currently low, with only one in ten consumers (10%) claiming to be fully aware of a law that protects their data and privacy. Even prompted, only an additional 28% claim a degree of awareness, even if not in detail.
That leaves more than six out of ten consumers with, at best, a vague sense that there is a law protecting them or, at worst, a complete lack of knowledge. The group who haven’t heard anything about it is the largest segment at 38% - the same size as all of those with a level of awareness and half as big again as the group with just some knowledge that there is a kind of law (24%).
Digital channels are the primary interface between organisations and consumers. They are also where personally identifiable information is generated and captured, making it the frontier between trust, consent and legal obligations. The extent to which consumers notice and act on data sharing tools is critical to the free running of the information economy.
Since they were introduced under the revised ePrivacy Directive in 2012, cookies notices have become the most visible dimension of data protection, seen by 17 out of 20 consumers (85%), while the privacy policies which underpin them get noticed by three quarters (77%). Unsubscribe links, a legal requirement of the Privacy and Electronic Communications Regulations (PECR), are seen by a similar number (76%).
While these are tools which organisations are obliged to put in place, it is the growth in tools being adopted by consumers to stop data sharing which catches the eye. Since last year, a third more are using ad blocking software (41% v 33%) or using the option to stop seeing ads (41% v 31%), while there has also been a hike in the number setting their browsers to private (28% v 23%).
In the short term, it is clear that a large minority of consumers are taking nearly as much notice of anti-data sharing tools as they are of registration forms (down nine points year-on-year to 44%) and requests for personal information (down six points year-on-year to 43%). Although this trend might concern digital marketers, it does at least show an appetite for positive controls over data sharing - something which GDPR aims to enable.
Consumer expectations around how their personal data will be protected are running ahead of current legal obligations. While GDPR will introduce more encryption, data security, access controls and monitoring, the majority of consumers anticipate these already being used. This is true regardless of the underlying attitude towards data sharing.
Encryption is the most widely desired form of data protection among 74.3% of consumers, even though this is not standard practice. More common in organisations is well-maintained data security, which 63.9% of consumer want. Failure to act on this has been the cause of the type of highprofile data breaches which GDPR is intended to end. Access limits and monitoring (expected by 59.4% and 57.8% of consumers respectively) are an extension of these technical defences.
In the wake of Brexit, the continued desire for personal data to be stored only in the UK, expressed by 45.8%, is an important consideration for any organisations operating trans-nationally. This view could soon be held by the majority, having grown by a further 3% of consumers since last year.
While over six out of ten consumers notice the tools which are used to capture their personal data, only half or fewer find those indicators that give them confidence their data will be safe. The largest number (51%) are reassured when they are given clear information about why their data is needed. That fits squarely with the requirement under GDPR for transparency. Backing that up, a further 36% say easy-to-find privacy policies give them a sense of safety. That visibility will increase significantly under the new rules.
Four out of ten look either for technical factors - a secure URL reassures 43% of consumers - or bring an existing trust in the brand with them when they share data onine (39%). The first of these can be clearly provided by an organisation, but the second is harder to develop.
Data minimisation - another key dimension of GDPR - matters to just over one third (37%), while the new control tool of a preference centre persuades one quarter (27%) that their data is being protected. However, one in five consumers (19%) are unconvinced by any of these efforts and don’t believe their data is really safe. The one reassurance for organisations is that none of these indicators has grown significantly in importance since 2016.
Levels of confidence that personal data is safe once it has been shared clearly lag behind what organisations and regulators would desire, with as many consumers saying they are not at all confident (5.4%) as say they are very confident (5.3%) that their data is safe. Levels of awareness of GDPR play little role in influencing these views.
However, those consumers who lack any awareness of a law protecting their data are more likely to be negative than positive - 23.4% are worried or think organisations do not do enough compared to 12.1% who believe some of their data is safe or are very confident. By contrast, where consumers claim to be fully aware, 6.4% have a level of confidence compared to 3.3% who do not.
There may be trouble ahead. Just as GDPR heightens the obligations on organisations around how they protect personal data, fewer consumers say they have not experienced any problems. Whereas last year a bare majority of consumers had not had any issues, only just over four out of ten (42%) now say this is the case. By contrast, six out of ten have been through some kind of negative experience.
Significant increases have been seen in the hacking of websites (up four points to 25% of consumers) and in the more serious issue of accounts being hijacked (also up four points to 18%). If anything is going to create obstacles to informed consent to data sharing, it will be the direct experience of what can happen when personal data is not properly protected.
Fraud continues to affect around one in eight consumers (13%) following the theft of their personal information and there has been a small increase in the number of consumers experiencing the very worst thing of their identity being compromised (up two points to 9%).
Data losses have also risen slightly to 9%). Despite all of this happening around them, 8% of consumers continue to say they might not notice if something happened - as awareness and education around GDPR grows, this position seems unlikely to remain tenable.
In the year since DataIQ last surveyed companies about their awareness of GDPR, there has been a modest increase in the numbers saying they are very aware (50%) or somewhat aware (36.3%) of the new law. While encouraging, if this rate of change remains constant, there will still be around 6% of companies who have no idea that the way they handle personal information is about to change by the time enforcement starts.
More encouraging is the pace at which preparations for the Regulation are being undertaken. The number of companies who are very prepared has doubled to 14.6%, while 53.3% are now somewhat prepared. Perhaps most significant is the steep fall in those who are not at all prepared, which now stands at just 1.9%, down from 8% in 2016. It is to be hoped that this pace of change will accelerate over the coming 12 months until there are no UK businesses who have not got themselves ready for the new legal framework
The ability of organisations to adapt to GDPR is in part a reflection of their level of maturity in the adoption of data and analytics. Four out of ten place themselves either in the advanced segment (16.5%) or reaching maturity (24.5%). Although this number has not significantly changed overall since 2016, it is notable that more programmes have now reached full maturity, placing one in six organisations into the leading group.
By contrast, almost the same proportion find themselves still on the launch pad with 3.8% planning - nearly double the number found last year - and 14.1% in the early stages - up slightly on 2016. For these organisations, the time remaining until GDPR starts to be enforced is likely to be a rush to understand and master the personal data they are relying on, with a strong potential to fail given the short timescale.
As preparations for GDPR pick up speed, data governance programmes are being initiated at a more strategic level. Since 2016, in-house compliance and legal teams have emerged as the lead in over half (54.8%) of organisations, an increase of two-thirds compared to 2016. Nearly twice as many legal teams are now funding data governance, too. But it is now the main board which is the chief source of funding at 36.3% of organisations, with 45.2% having responsibility, overtaking other functions in importance since last year.
Lines of business have also become much more engaged with data governance, led by marketing (up ten points to 39.3%), and CRM (up nearly six points to 39.3%), while sales has increased its involvement by 230% - it now has responsibility for data governance in 31.9% of organisations. Similarly, ecommerce has doubled its involvement to 23%.
These increases are being backed with greater funding from every department compared to last year. This suggests that, as organisations work out how to prepare for GDPR, they are drawing on the resources and capabilities which exist across the enterprise, rather than relying on just a few areas of expertise.
One of the new requirements of GDPR is to report a data breach or loss to the Regulator within 72 hours and to tell affected data subjects in a reasonable period of time. Achieving that means organisations have to be aware of such events when they happen - three out of ten are well placed as they have company-wide reporting already in place, a slight increase since 2016.
There are further signs of maturity in this respect with a 50% rise in the number who now report on data breaches and losses at function level - up to 18.3% from 12.2%. This appears to be a shift from reporting on a case-by-case basis which has reduced proportionally.
Encouraging as these improvements are, there is still a significant group of one in five organisations who either rely on customers or external bodies to tell them when a breach occurs (7%) or who are not tracking these events at all. This last group has doubled in size to 14.1% from 7.6% last year. Worrying as this is, it may reflect a process of discovery as organisations consider how to prepare for GDPR and discover the gaps in their procedures.
The breadth of GDPR’s impact on organisations can be seen in the range of processes which need to be reviewed. Given the emphasis being placed on consent and transparency, it is not surprising that 43.6% of organisations are looking at their in-house privacy notices, while 38.7% are checking their in-house permission statements for compliance. What is surprising is that even companies which claim not to be very prepared for GDPR are actively reviewing these notices and statements, as well as reviewing the ones used by their third-party partners.
Retention policies are the third most mentioned process being reviewed, according to 36.7%. This is undoubtedly a reflection of the newly-granted right to be forgotten which will make deletion requests more frequent, as well as the concept of time-limited purpose and permission. Among those best prepared for GDPR, retention policies are actually the prime area of focus which probably indicates how neglected this aspect of information lifecycle management has been until now.
As the clock ticks down towards enforcement of GDPR, pressure will increase on compliance programmes. Achieving the necessary changes to data governance policies and procedures within the available timescale will become more difficult, not least because of the number that will need to be altered. Fortunately, over half of organisations (51.3%) believe it will take them six months or less to make these changes.
For three in ten (28.9%), it will be a close run thing if they need the upper end of their six to 12 month range, while the 8.5% who need between 12 and 24 months will have to hope that the processes they are addressing do not fall under the Regulator’s scrutiny. On average, companies need just under six months for process engineering.
Recent large-scale data breaches have demonstrated that the impact on a business and its reputation can be significant. A combination of customer defections and falling investor confidence put those companies on the back foot. Recognition that a similar event would have a very significant impact has grown to 26.8% of firms, up from 22.5%.
However, there appears to be less concern than might be anticipated across six out of ten organisations - 38% assume a data breach
Expect or loss would have some impact, down from 44.7% since 2016, while 21.1% do not expect much impact, up by half from 13.2% last year.
Given consumer expectations about data security, the risk is that companies have become complacent about the outcome should they be hit by hacking or theft. Even a GDPR-compliant business that undergoes this type of event is likely to experience negative consequences.