One year to go: The countdown to GDPR begins

The countdown to the General Data Protection Regulation (GDPR) is officially on. On 25th May 2018, the introduction of the new legislation will mark the start of a new era of how businesses manage, process, store and share personal customer data. This new legislation will replace the long-standing Data Protection Act 1998 and introduce stricter rules on how businesses process personal customer data.

Importantly, this is an EU-wide initiative, and despite the UK’s imminent departure, it will still be ‘opting in’. However, Secretary of State Karen Bradley MP has stated the UK will “then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.” It’s important that businesses are prepared for this significant change. So, what will GDPR mean for the way they manage customer data? And, with the legislation’s focus on data security, what more can businesses do to keep their customer data safe?

What do businesses need to know about GDPR?

In essence, the rules will introduce stricter requirements around when brands and businesses can use data. This means they will need to be clearer about the information they are requesting from customers and how they will use it. Confusing contracts and terms and conditions will no longer be an option; companies will need to provide transparency at all stages during the collection of customer data to ensure consent is given unambiguously.

Another important change is increased accountability. Strict penalties will be introduced to businesses that breach the new legislation, with the maximum fine increasing from £500,000 to €20m or 4% of global turnover for the most serious incidents.

At a time when data breaches are an unfortunate everyday occurrence, businesses are already faced with a huge responsibility to keep their customer’s personal information safe – or risk the consequences of a significant fine. What better example than TalkTalk, which was hit with a record £400,000 fine by the Information Commissioner’s Office for failing to protect the personal data of 156,959 customers from a cyber attack.

Who will the GDPR apply to?

The Act will apply to both processors and controllers of customer data. In simple terms, the controller says how and why personal data is processed, and the processor acts on the controller’s behalf – as defined by the ICO. For businesses wondering if the GDPR will affect them, as a general rule, those which are currently regulated by the UK Data Protection Act are likely to be affected by the GDPR.

The rules will be imposed across Europe, building a harmonised data protection regime that impacts not only on companies based in the EU but also those that want to do business here. Although it will be some time until it is understood exactly how the UK will adopt GDPR, at the very least, businesses working with EU countries will need to abide by the legislation as it applies to the management of customer data flowing both in and out.

Taking actions to beat the fraudsters

Cybersecurity is an unavoidable consequence of the digital world we now live in – and the GDPR is shining a spotlight on the role customer-facing organisations must play in protecting customer data.

For banks in particular, which are generally among the most trusted brands by consumers, I believe there is huge potential for them to build on the role they already have in their customer’s lives – and and offer increased support and assistance to help keep them safe online.

It is clear that protecting information is important to consumers and so banks should be looking to evolve their propositions and capitalise on this. Barclays has just announced steps to do just this, with the Chief Executive vowing to lead a £10m campaign against digital fraud.  

And there are other benefits, particularly for banks, that can offer protection solutions to their consumers, too. According to our latest research, The Connected Customer, people who take out products that help them alleviate their cyber concerns tend to be more engaged and, ultimately, more loyal.

An education for consumers

Businesses should also consider how they can help customers be more savvy online. With consumers logging in to multiple devices, e-commerce platforms and social media sites each day, it’s clear they are also responsible for protecting themselves. Awareness of cyber security doesn’t seem to be the issue; a report by Symantec revealed 57 percent of customers “are worried their personal information is not safe”.  But despite this, a study by Aite found 49 percent of consumers exhibit at least one risky behaviour which puts them at higher risk of financial fraud.

Last year, Financial Fraud Action UK (FFA UK), major banks and financial services providers united to launch a national campaign to combat financial fraud called Take Five, which lists five ways consumers can help protect themselves from fraud, including guidance on how to identify disingenuous emails.

Looking ahead, we can expect to see more initiatives such as this introduced across a number of customer-facing industries, with organisations, industry bodies and associations working together for the greater good.

A new dawn for customer data

With GDPR now on the horizon, companies are facing an increased responsibility to keep customer data safe, and provide transparency at each step of the data-collection process. But there is also a great opportunity to connect with customers over cyber security and be part of the education and empowerment journey. Those which can are likely to reap the benefits with more trusting, local customers. 

By Karen Wheeler, Vice President and Country Manager UK, Affinion