Compliance

In a world of continuous digital evolution, could the GDPR be improved?

By Alun Baker, CEO, Clario

As we work out what a Britain outside the European Union will look like there is one area where the country would benefit from more, not less, regulation.

The General Data Protection Regulation, known as GDPR, was a great start in protecting consumers and regulating the big tech companies, but there is a huge amount more that can be done, and Britain is in a great position to become a world-leader.

The law, implemented in May 2018, was designed to primarily regulate the way businesses use data and give individuals control of their personal information. But while GDPR has changed the way organisations and people think about their personal data but, not the way they act.

Currently, big corporations like Facebook profit from the data they compile on users and for the most part they conform to the European law. But, in 2015 when news broke of the Cambridge Analytica data scandal, people worldwide expected Facebook to be made an example of. In reality, the organisation was fined £500,000 in 2018 by the UK Information Commissioner’s Office.

Facebook got away practically scot-free, all because the violation occurred in 2015 before the implementation of GDPR. Regardless of when this oversight and incompetence occurred should we not punish these companies for clear negligence however long ago it occured? Facebook’s revenue in Q4 of 2018 hit $16.9 billion and when you consider they facilitated one of the biggest data breaches in history, £500,000 doesn’t sound like much money.

More recently, Marriott International the owners of the Ritz Carlton and Marriot Hotels received a £99 million fine for exposing 339 million guests’ records. The fine fell days after a £183m fine for British Airway for a similar breach. Evidently, the threats against businesses from cyber-attacks are constantly evolving and being completely watertight is a sizeable challenge.

Surely it is time to look at a new penalty structure? One which looks at an organisation data breach history, their size and who is at fault. Marriot International was fined twice within the same week once within the United Kingdom and once in Turkey. The fact that the company failed in quick succession would indicate negligence and justify a fine that makes a business reconsider their operation.

Currently, the maximum fine set out by the European Union is €20 million or 4% of a company’s annual global turnover. But why does it seem these maximum guidelines are never tested? These penalties have to be punitive enough for organisations not to consider it an acceptable cost to their business. When consumers enter their personal information they are led to believe they are entering a trusting relationship, with standards set in place to protect them. It is surely in everyone’s interest to impose these fines so organisations do not turn a blind eye in favour of profits.

If a public business were to break laws on accounting, misleading the public those responsible would face the prospect of a custodial sentence. Why is it then that stock trading is considered any different from trading people’s personal data? They both share monetary value. I believe it is because personal data is viewed as an issue that only effects the consumer. Whereas, in the financial world the knock-on effects to large businesses, stakeholders, and financial institutions cause heads to turn.

In January we received welcomed news from the Government when they announced that laws will be introduced to protect future IoT devices from being susceptible to hackers. A timely introduction but, again this law is focused on corporations and not the consumers. Don’t get me wrong this new Government push encourages me. But, our lawmakers need to understand the general consumers feeling towards data and why there isn’t more passion about keeping personal information out of big tech corporation’s hands.

In a world where our whole lives are being mapped out with a digital footprint being evaluated for ad targeting or profile creation, there is a lack of education. Consumers need to better understand the threat they face and how to keep themselves and their data safe.

With GDPR we currently find ourselves with a strong foundation and the unique opportunity to improve.  In this ever-connected world, constant evaluation and updating is essential and there has never been a better time to act than now.

About the author

Alun Baker has more than 20 years’ experience in growing and transforming technology companies like Oracle, Merrill, Accenture. He also founded the first Careers & Mentoring social network, When You Grow Up.

Baker is driving the Clario to revolutionise and disrupt an entire industry currently characterised bycomplex, technology-based messaging that drives fear and confusion into the consumer market. As our digital lives grow, he believes that consumers need a champion in an overly complex cybersecurity industry.

About Clario 

Clario Tech Limited is a London-based cybersecurity company. It was founded in 2019 to disrupt the security software industry by securing people’s digital lives with a human, customer-focussed approach to cybersecurity and act as a consumer champion.

Led by CEO Alun Barker, Clario employs more than 800 people including a large number of Apple Certified Tech experts and is launching its new product in Q1 2020.