New data laws coming into force in the EU next year could be more disruptive than the power Tripadvisor gave to consumers, according to a leading law firm.
Boyes Turner, a specialist in technology law, has published a risk analysis paper on the General Data Protection Regulation (GDPR) which becomes law in May 2018.
The firm says the impact of GDPR will see more control over the future of brands and marketing strategies shift away from companies and towards consumers and employees.
The Information Commissioners Office (ICO) is expected to launch a major PR offensive in early 2018 alerting consumers to their new rights as “data subjects”, warns Boyes Turner.
Combined with the ability for consumers to bring collective “class action” type claims where they feel their rights have been breached, the firm says there is a clear risk of litigation and of significant disruption to businesses and their working practices.
Unprepared companies will face an increasingly heavy burden on resources as a growing number of consumers demand to see and withdraw all data held on them, the paper predicts. The removal of “implied consent” and “opt out” models will place a further strain on data departments.
Fines for breaches under the new European regulations will be as high as €20 million or 4% of annual global turnover – whichever is the greater. The regulations come into force in May 2018 and will continue to apply post-Brexit, with proposals to enact them in UK law already unveiled by the UK Government in the Queen’s Speech.
Sarah Williamson, Partner at Boyes Turner, said: “If consumers are encouraged to take up their new GDPR privacy rights en masse, the impact on a wide range of businesses could be more disruptive than the tech-driven consumer empowerment forced by the likes of TripAdvisor and other consumer review and price comparison technologies.
“Like these disruptors, companies that have used the GDPR as the catalyst for getting a handle on the value of holding, handling and utilising consumer data in compliant ways can be big winners.
“But for the underprepared, if it isn’t the GDPR fines that get you, the large-scale, ongoing disruption from consumers checking, demanding changes to or legally challenging data held on them could.
“Urgent action is required now to ensure businesses know what data they hold, are able to access it quickly and action change requests with minimal bureaucracy and disruption.
There are real opportunities for firms to become more agile and effective in their use of consumer data. But there are also real risks that those that get it wrong will be so tied up in GDPR red tape they won’t be able to deliver their real business priorities.”
Processing of data by artificial intelligence is an area in which the report warns that, despite the GDPR deadline of May 2018, regulatory uncertainty remains – further complicating the challenge of becoming and remaining compliant.
Williamson added: “Machines are making decisions about how data is processed and how that data is used.
“If these robotic decisions about data handling risk breaching GDPR obligations, organisations could be leaving themselves wide open to challenge.
“With official guidance not available, organisations need to internally test to destruction where algorithms could be leaving them exposed to huge fines and business disruption”.
The report warns some companies are so far behind in preparations for GDPR that they can’t hope to be fully compliant by May 2018.
Williamson added: “While some companies we spoke to are well ahead of the game, many have a long way to go.
“The best prepared are already demonstrating a ‘privacy by design and default’ approach. The benefits they derive in terms of consumer trust and confidence will mean they are able to continue to profit from well-handled and effectively used consumer data. However, full compliance by May 2018 will simply not be achievable for many.
“With eye-watering fines in the offing, and with guidance from regulators still unclear in places, firms need to be adopting a risk management and gap analysis approach, prioritising action on the areas where they have most to gain from action or most to lose from inaction.
“With so many different parts of the business impacted, it is possible some firms may be fully compliant and reaping the benefits in, say, HR or marketing, but wide open to fines or a loss in consumer trust from an exposed flank”.