Many businesses’ attitudes to GDPR are ‘bordering on negligent’

Despite the data protection regulation being implemented in 2018, 69% of IT decision makers don’t have the backing of their board to achieve GDPR compliance, according to Calligo.

Some businesses owner’s awareness of how Europe’s General Data Protection Regulation (GDPR) will impact their business is “bordering on negligent”, said Adam Ryan, chief commercial officer or Calligo, a cloud service provider offering mid-sized companies data privacy and security.

“There is an alarming lack of knowledge,” he said, speaking at a GDPR panel debate on Thursday.

Ryan argued that many board-level individuals are not engaging with GDPR because they do not want to take the blame if something goes wrong.

“GDPR is driving a truck through one of my clients’ business model as far as I can see,” said Ryan, speaking about a company runs a B2B introductory lead generation system.

“For some businesses, GDPR fundamentally changes how they operate” 

“Their response [to GDPR] is ‘we really need to do something about that’. Their level of awareness was bordering on negligent because this is their core business and core value to their customers.

“For some businesses, GDPR fundamentally changes how they operate,” he added.

Is GDPR enforceable?

Julian Box, co-founder of Calligo, argued that many businesses are ignoring GDPR because they don’t believe that regulators will be able to enforce the regulation.

Many of GDPR’s processes should have been put in place years ago, argued Robert Bond, solicitor and notary public and a certified compliance and ethics professional.

“GDPR is not prescriptive. Everyone is waiting for ten boxes to tick but it is not about that,” said Bond.

Every business will have to work out what its risk appetite is and how it can implement processes for the procedures to be accountable

Box agreed: “You can’t be GDPR complaint. GDPR is every that makes you non-compliant literally a second later. We go out of our way to never use that word complaint.

“Wetherspoon’s deleted a huge chunk of their customer data as they thought it wasn’t worth the risk. That doesn’t work for all business but I thought that was quite an educated response.”

However, Bond said that once a company has started implementing procedures to meet GDPR expectations, businesses should market it as a competitive advantage.

The EU’s data protection is about privacy, not IT security 

Ryan pointed out that many companies are taking a technology-focused response as they look to improve security, “but this isn’t all about security, it is about privacy. People are keeping data that they shouldn’t have. It might be protected but they shouldn’t have it in the first place,” he said.

“Wetherspoons has deleted a huge chunk of its customer data as it thought it wasn’t worth the risk. That doesn’t work for all business but I thought that was quite an educated response. The management thought it just wasn’t worth it.

“You need to understand why you have data and what legal framework for keeping data you have anyway,” said Ryan.

Several people on the panel predicted “ambulance chaser” law firms offering ‘no win, no fee’ court cases if a business was found to be holding illegal data under GDPR.

Once consumers know what their rights are, there will undoubtedly be those with grievances against businesses that will use GDPR to air those grievances, panellists agreed.

Bond argued that compliance will trickle down from large multinational companies.

“The more regulated and multinational the business is, generally the more aware it is of compliance and regulatory issues. But out of all of those multinationals that I have advised over the years, there isn’t one that has put in place compliance programs because they should do. It is because something has gone wrong to make them do it,” said Bond.

However, Bond believes large multinationals business will refuse to do business with smaller firms if they are not implementing GDPR, causing it to flow through industries.


Related reading