GDPR isn't about data security - but it could be bad for business

OPINION: The EU's data privacy legislation is well-intentioned but will slow innovation, says serial entrepreneur Brian Kingham.

by Brian Kingham
Last Updated: 30 Jan 2018

The introduction of the EU General Data Protection Regulation (GDPR), which intends to protect EU citizens from unscrupulous use of their personal data is at face value a good thing.

The privacy of the individual is hugely important, especially when set against the intrusive noses of big corporations and governments. In doing so, however, the EU is potentially putting the brakes on innovation and risks punishing companies for situations beyond their control.

There are some ironies too. The EU wants to give individuals unfettered access to the data that companies store about them. Yet the EU is not transparent about its own operations, including the voting records of MEPs and the lobbyists who try and shape EU policy in their favour.

The EU is a hugely bureaucratic organisation that regulates business across its 28 member states through red tape. It also holds vast swathes of data about the EU’s 510 million citizens and the businesses that operate within its borders. But the legislation is here and so it must be complied with, either through in-house means or via consultants, of which there are many.

Let’s acknowledge however that the sanctity of personal data is mostly threatened by highly sophisticated cyber criminals - not by the companies that hold that data. To help protect citizen data against cyber attack, the EU in its wisdom has decided to punish the victims - the companies under attack -  and not the criminal gangs. Because if you lose customer data via a cyber attack, it’s deemed your fault and the EU will now have the right to fine you up to 4% of your turnover or €20m, whichever is greater.

How unfair. These fines are utterly disproportionate - 4% of turnover is more than many businesses earn in profits. I know of no business that was consulted about these fines and have met no Member of Parliament who can recall being consulted. Where is the EU mandate for this?  No well run company wants to lose data, and no company wants to lose customers because of a data breach - which is why they sensibly invest in robust cyber security software and services. GDPR has little to do with cyber security.

Instead it’s forcing businesses of all sizes to invest precious time and resources to ensure that they meet a box ticking compliance exercise, so that they can say they know where their data is. Unfortunately, in the age of big data, data lakes and cloud computing this can be a huge task even for larger companies. Business is already concerned.

In a poll of Infosecurity Europe 2017 attendees, almost half said GDPR was stifling innovation by making companies nervous about cloud services. Another anomaly of GDPR is that data processors such as outsourced cloud providers will not be held responsible if they lose data that is controlled by their client, meaning they have less incentive to beef up security. Lesson here: choose your cloud provider with care.

It also takes little notice of how data is a vital raw material of product and business innovation, as well as helping to reduce operational costs. GDPR is likely to stifle data-driven innovation, because companies will hold back on accessing or storing data for fear of prosecution.

As consumers we have the right to share data with companies and organizations if we so wish and millions do. We already have the opportunity to opt out, but many enjoy the advantages that, for example, Tesco Clubcard or Nectar gives us, or the fact that Amazon understands our spending patterns. Online shopping is made far easier by data sharing.  

And if the EU believes that the GDPR may assist European businesses over and above US competition, which it believes play fast and loose with personal data, they should think again. Digital behemoths Facebook, Amazon and Google have grown powerful in the years it took the EU to draft GDPR. Their advanced infrastructures and agility have already automated much of what the GDPR requires, and means they can adapt to data legislation change more rapidly than Europe’s more traditional media owners.

There may be huge unintended consequences as a result of GDPR; we don’t yet know what it will do to those businesses already struggling. GDPR is in danger of teaching us all over again the real limitations of well-meaning government. It is too much, too soon and will undoubtedly damage job creation.

'Businesses that are already vigilant about their data protection responsibilities are unlikely to be unduly unburdened by the new legislation,' the Chairman of the London Chamber of Commerce recently told City AM.

He makes a very good point. In other words, a well run business doesn’t need the EU to tell it how to put its own data in order. They have already done so by dint of being efficient and responsible, but now they will be less competitive as they are forced to spend more time and money checking boxes, and less on managing rich data for innovation and growth.

Brian Kingham is a London based entrepreneur and investor, and chairman of cyber security company Reliance acsn ltd. 

Image credit: Kevin Ku/Pexels


Find this article useful?

Get more great articles like this in your inbox every lunchtime