In your opinion, why was GDPR so necessary in an era of rapid technological change?
The answer is in the question. It is the very fact that we are in an era of rapidly changing technology and advancement that has created a need for greater protection around the use of data relating to an individual. It’s often overlooked that each variable of data relating to an individual is as much a part of them, their identity, their personality or their well-being as their DNA. It all needs safeguarding so that it isn’t open to exploitation or abuse.
Your organisation handles huge volumes of data. When did the business start to prepare and what areas have you invested in to make sure you’re compliant?
We started preparing for GDPR over two years ago. Significant investment has been made right across Callcredit and there isn’t a single part of our company that has not been involved in GDPR. As an organisation working in the credit reference agency sector, data is at the heart of our operations and people naturally expect us to prioritise privacy and security.
What do you see as some of the biggest challenges facing businesses as they strive to comply with GDPR?
I think that very much depends on the make-up of each company and within each company it will vary across functions. For companies reliant on third party data for marketing purposes GDPR may have systemic consequences. So survival may be their biggest challenge. For others, the main challenge will be to understand when they need consent and when other grounds such as legitimate interest can be relied upon for storing and using data. From a technology viewpoint, one of the biggest challenges has been their “starting position”. By this I mean how compliant organisations already were with previous data protection legislation.
Will GDPR affect the way Europe deals with global organisations like Facebook that harvest and use data in the way that the Cambridge Analytica matter has shown?
I’d rather hope it makes European citizens think about how they interact with global organisations. The power of such global giants comes from the sheer volume of consumers using their sites on a daily basis. Consumer demand will be the “stick” to drive best practice. Government intervention isn’t enough on its own and often simply results in more court cases and richer lawyers.
Do you think tighter restrictions will make it more difficult for businesses to extract commercial value from big data?
I think we’ll see smart businesses investing in machine learning to a greater degree which may mitigate some of the additional cost associated with GDPR compliance. However I don’t like the word “restrictions” in this context. What GDPR is saying, essentially, is that if you want to use an individual’s data you need to do so in a transparent manner, as they have the right to know what you are doing with it.
How do you see the future of data collection and storage evolving?
I think this is somewhat of an overwhelming question to end with! Expectation has shifted to a position where we want goods and services available instantly. A lot of that is premised on having data about ourselves available in real time for decision making. We become accustomed to it and it sets certain expectations. Is it possible to have that, whilst at the same time having an effective regulatory regime that safeguards consumers, but doesn’t prevent them getting what they want?
With regulation comes cost and this can make it more difficult for new entrants to enter the market and effectively challenge the large corporations in any meaningful way. So what I see over the next 12 months – which for many in the world of data is a long time – is a period of taking stock, not just in relation to GDPR but also PSD2 in Europe and our own Open Banking initiative, launched in January.