Seventy percent of organisations are actively disposing of data in advance of GDPR, according to a new survey by IBM.
Their aim is to reduce exposure to possible legal action ahead of the 25 May deadline for implementation, according to the company. In the UK, the regulations come into force under the Data Protection Act.
The survey was conducted among 1,500 business leaders by IBM’s Institute for Business Value (IBV).
This sudden and wholesale spring-clean may reveal that organisations have been holding on to data for longer than they need to, and may also suggest that many don’t have the appropriate consent for how it is currently being used. Instead of continuing to horde that information, most companies are choosing to get rid of it completely.
The mass data-dumping is expected to continue as GDPR forces organisations to change the way they collect and store customer or citizen information. IBM found that 80 percent of organisations will be cutting down on the amount of personal data they keep moving forward, with 78 percent reducing the number of people who have access to it.
The US angle
The findings tie in with another survey published by IBM last month, which polled 10,000 people and found that just 20 percent of US consumers have complete faith that the businesses they interact with will maintain the privacy of their data.
Although the US doesn’t have comparable regulations to GDPR, American companies will have to conform to Europe’s new rules for any data processed on behalf of European customers.
The CEO of one US enterprise software company, Larry Augustin of SugarCRM, recently said that he believed the US will follow suit with data protection laws of its own, given the publicity given to the issue by the appearance before Congress of Facebook CEO Mark Zuckerberg last month.
However, Augustin also said that some organisations – mainly in the B2B space – are electing to ignore the regulations until there is greater clarity on some issues.
GDPR: the opportunity
The latest IBM/IBV survey also found that, despite the headaches of GDPR compliance, most organisations see the upside of the new data protection regime. IBM found that the rules are largely being embraced for their potential to improve privacy, security, and, most importantly, customer sentiment on data protection.
Eighty-four percent of business leaders think GDPR compliance will be perceived as a positive step by the public, while 76 percent said that GDPR will enable more trusted relationships with data subjects. In turn, this will create new business opportunities.
Whether they see the upside or not, GDPR will force a radical change in the way that all organisations handle personal data, requiring informed consent for its use, measures to be put in place to ensure its security, and the enabling of citizens’ right to have their data permanently erased from IT systems.
The breadth of GDPR’s impact means that businesses are having to alter multiple areas of their regular operations, from marketing to cybersecurity and data management.
Restoring trust – slowly
It’s safe to say that consumer trust in the way personal data is handled is as low as it’s ever been, which is why many companies now see GDPR as an opportunity to reassure their customers – especially in the wake of the Facebook and Cambridge Analytica scandal.
However, despite the opportunity to improve customer relations and streamline their data processes, IBM’s survey suggests that compliance is getting off to a slow start. Only 36 percent of business leaders who took part thought their organisations would be fully compliant with GDPR by the May 25 deadline.
Two of the biggest challenges are the new regulations regarding consent and data breaches. IBM found that less than half of respondents had systems in place to gain consent from data subjects. Meanwhile, only 31 percent of companies have updated their incident response measures to comply with GDPR’s requirement to report data breaches to relevant authorities within 72 hours.
“GDPR will be one of the biggest disruptive forces impacting business models across industries – and its reach extends far beyond the EU borders,” said Cindy Compert, CTO, data security and privacy at IBM Security.
“The onset of GDPR also comes during a time of huge distrust amongst consumers toward businesses’ ability to protect their personal data. These factors together have created a perfect storm for companies to rethink their approach to data responsibility, and begin to restore the trust needed in today’s data-driven economy.”
Additional reporting: Chris Middleton
Internet of Business says
When GDPR was first discussed in Europe, one of the key drivers was the rising power of US corporations over personal data, and the need to put systems in place to mitigate against that power, resetting the balance between citizens and enterprises.
While some nationalists and europhobes have consistently railed against the EU’s predilection for red tape, there is little hard evidence that their phobia has ever been shared by most organisations. IBM’s findings are merely the latest example of majority support for tighter regulation.
Looked at in 2018 – in the wake of a number of high-profile data breaches and the cynical abuse of social platforms by troll farms and billionaire-funded analytics firms – Europe’s move to stem organisations’ power over citizen data now looks remarkably prescient.
As to the future, however, something is missing: a platform through which citizens can manage the rights associated with their data from a central point.
Whether such a platform might emerge through a blockchain-powered data commons, for example, or via a personal API that would allow citizens to manage access terms in a manner analogous to a digital rights system, is an open question.
Internet of Business believes that the concept of citizen-backed CSR through a citizens’ self-managed data rights platform could be an exciting development – one spoken about several times at conferences by our editor, Chris Middleton, who has been pushing the idea.
For example, he proposes that such a platform might enable citizens to state what types of research and commercial programmes they would support with either personal or anonymised data, and which ones they actively forbid – and, importantly, what they would like in return for the use of their data.
In this sense, the concept of data as either a currency in itself, or as an asset against which a digital currency could be backed and valued, would be reinforced.
If you would like to discuss the concept with us, we invite your feedback and proposals.