Clothing retail giants H&M found themselves in hot water with data privacy authorities this month after breaching the EU’s flagship General Data Protection Regulation (GDPR).
After carrying out illicit surveillance and gathering information on hundreds of its workers, the Swedish firm was issued with a €35.3m fine, the second largest GDPR penalty ever handed out to a single company after Google’s €50 million penalty for a similar transgression last year.
While the whopping size of those fines may pertain to the particularly egregious nature of the data which H&M and Google collected, they are a highly salient sign of the times for companies of all stripes.
Not only do such fines strike a bitter blow to a company’s chequebook, various studies show that data privacy is an increasingly important metric for consumers—meaning that proactively protecting customers’ personal data is becoming an important part of gaining clients’ loyalty and trust.
While many firms may shy away from the financial burdens and logistical headaches of achieving full compliance with GDPR, the long-term ramifications of failure to do so could be far more damaging.
Companies falling short
GDPR legislation first came into effect in May 2018. Nonetheless, even 30 months in, many businesses are struggling to comply. In a recent survey of 186 professionals, just over a third (35%) said they were confident that their company met all GDPR requirements.
The biggest barriers to compliance were corporate culture (according to 37% of respondents), a dearth of technical knowledge (35%), financial restraints (33%) and a lack of the requisite resources (33%).
Such dereliction of duty has not gone unnoticed by the authorities. The Information Commissioner’s Office in the UK have announced plans to fine national airline carrier British Airways and hotel chain Marriott International £183.4 million and £99 million, respectively.
Meanwhile, three of the world’s biggest tech firms have had court cases launched against them in the last six weeks alone.
Remarkably, the claimants in those cases have not been regulatory bodies, but consumer rights groups and, in one instance, a private UK citizen—raising concerns that mass data privacy lawsuits may become commonplace in the imminent future.
Keeping the customer satisfied
Companies should have ample reason to step up their data privacy protection—in addition to the substantial fines which regulators are imposing, achieving compliance appears to make sense from a number of other angles as well.
For one thing, 80% of those firms who are already up to date on their obligations believed their IT systems and cyber security infrastructure had benefited as a result, while 92% intimated that they had built better consumer confidence with their audience.
There are a multitude of surveys which support that supposition. In the USA, 58% of those polled admitted that they were very concerned about data privacy, while 85% said they would not do business with a company whose security protocols they did not trust and almost a third (31%) believe robust data protection policies are the most important factor in creating brand loyalty.
It’s a similar story in Europe, where 41% would prefer not to share any sensitive information with private companies, which is almost twice the margin when compared to sharing data with public bodies.
Tech solutions like Manetu and Enya surge to meet demand
The good news is that the demand for solutions to simplify the process of compliance is being met with supply from the tech community.
For example, start-up Manetu has come up with a first-of-its-kind Consumer Privacy Management (CPM) platform which uses sophisticated machine learning algorithms to pull together, organise and classify all the data which companies hold on an individual from software which companies are already using, such as Outlook and Salesforce.
The popularity of the platform is evidenced by the fact that the company added 250,000 user identities within the first six months of its launch, including global recruiting giants Odgers Berndston as a flagship client.
In order to safeguard consumer data and build trust, Manetu functions as a “zero knowledge data vault”, meaning that the firm does not itself have access to the data stored in its secure control plane.
Instead, it makes an encrypted copy of it available to consumers through its Privacy Master portal, allowing them to make changes to their permissions and provide or revoke consent for their personal data.
These permissions are then automatically sent back to the company holding the personal data using distributed ledger technology, thereby creating a permanent and unchangeable record of the privacy permissions which can help regulators assess compliance with privacy legislation.
Elsewhere, other innovating enterprises have taken on more specific challenges, such as the question of how to collate health data to fight the spread of coronavirus without compromising the privacy of the system’s users. Silicon Valley company Enya has pioneered the use of secure multiparty computation (SMC) in their symptom-mapping platform FeverIQ.
In laymen’s terms, this means that the relevant data can be assimilated and infection risks calculated without ever actually seeing or storing user inputs, maintaining absolute privacy. The effectiveness of the system has even been verified by an independent study.
Best of all, Enya have made the code which goes into FeverIQ open source so that it can be adopted and adapted by governments across the globe.
The sanctity of privacy
Businesses around the world are facing unprecedented challenges as the coronavirus pandemic whittles away at balance sheets and customers have less disposable income.
Under these circumstances, handling customers’ sensitive data responsibly and respectfully is not just necessary to avoid reputational damage and bruising fines, but is also an opportunity to build a loyal customer base.
That fact will become even more apparent as strict regulations like GDPR continue to come into force and consumers place an ever-greater emphasis on the safety of their personal information.
Diverting the necessary resources to address the issue and leveraging technological advances in the sector should comprise key objectives for any company in the modern business climate. Failure to act today could result in a breach, bankruptcy and tarnished brand image tomorrow.