Cyber Summit: Firms have ‘commercial decision’ to make over explicit consent under new data laws

Cyber Summit: Firms have ‘commercial decision’ to make over explicit consent under new data laws

Speaking at yesterday’s Travolution Cyber Security Summit hosted by Natwest in London Peter Gooch, Deloitte Cyber Risk Services partner, said content is causing the biggest challenges. Continue reading

The Travel weekly and Travolution Cyber Security Summit was hosted by Natwest and sponsored by Worldpay, Syntec/Cardeasy and law firm Hill Dickinson

Travel firms will have to make a commercial decision about whether they seek explicit consent from their customers to receiving marketing as required by new EU data rules.

Speaking at yesterday’s Travolution Cyber Security Summit hosted by Natwest in London Peter Gooch, Deloitte Cyber Risk Services partner, said content is causing the biggest challenges.

The General Data Protection Regulation is due to be enforced from May next year bringing in must more serious sanctions for data breaches.

Gooch said although the actual rules are not too dissimilar to existing data protection laws the commercial and reputational consequences of getting this wrong will go up considerably.

Firms face fines of up to €20 million for a major breach or 4% of global turnover.

Gooch said the biggest change is around accountability with firms expected to be able to show that they have taken steps to apply the principles of the law.

Foremost among these is getting explicit content from customers for use of their data meaning pre-ticked drop down boxes will no longer be acceptable.

“The basis for consent has changed,” he said, “it now has to be unambiguous. All organisations are trying to work out their position on this.

“You cannot have pre-ticked boxes, it’s now about people saying I actively want to be market to. They [the regulators] are saying if you do not have that you have to go back and ask for consent.”

Gooch said firms are concerned that doing this could cost them tens of millions of Euros because they know that only around 10% of customer when asked will actively opt in.

“This is a commercial decision,” he said. “It’s a key thing to think about. This is the hardest strategic decision to make. You have to weigh up the risks.”

Gooch said some firms see GDPR as an opportunity to cleanse their database and companies could take the opportunity to communicate the advantages of allowing their data to be used.

“It’s quite hard to work out how far to go, what is defensible, because no one is really going to be 100% compliant by next year.

“You have choices. There’s not a one size fits all solution. The regulation has to fit every company of every size in Europe across all industries.

“You need to think about breaking down the regulation in to different areas. Ask what’s achievable, what is defensible.”

Gooch said firms will need to know where their customer data is stored, what the processes are and how that data is being used.

He estimated this will require tens of thousands of data protection officers being taken on by companies and while some will only need someone working part time big global firms will require up to 70.

And he warned against believing that there are off the shelf solution that will make firms GDPR compliant.

“It may address some problems,” he said. “But don’t rush in and buy a system because someone has sold it to you on the basis that it will solve all your problems.”

Gooch added: “The important thing is to look beyond 2018, what resources you are going to need long-term. The regulators are not going to go away, they are probably going to be more aggressive.”

Firms should be thinking about five key areas, concluded Gooch:

  • Accountability – do they have a framework in place to set out the roles and responsibilities for people on the organisation;
  • A culture of privacy by design – being transparent and putting people in control to ensure user experience is privacy compliant;
  • Data governance – do firms know where their data is and how they are using it. They have to have some kind of inventory;
  • A risk based approach – think about where it could go wrong and keep at the forefront what could be the impact on the consumer, not on the business or organisation;
  • Ownership throughout the business from the top – do not just think about this as an IT or legal problem. “If you do not have this you will have a superficial nice-looking programme, but nothing will change in terms of day to day responsibilities,” said Gooch.