Digitally Thinking

​Data Protection risk in 2020, a business case for compliance.


In 2018, the year the GDPR came into force, 2.2 billion people had their data exposed in some way as a result of a data breach. Compare that to 2020 where the total number of individuals affected is closer to 300 million. Despite the fact that there were more data breaches, the total number of affected data subjects was less. This trend demonstrates the shift in focus from larger targeted data breaches to a more broad and indiscriminate approach where small to medium sized businesses are in the crosshairs. Another trend I've seen recently is that hackers are focussing a lot more on breaching security with the objective of accessing and stealing valuable source code. If you've heard of video games called FIFA and Battlefield, those are huge franchises, both have had their secret source code stolen in the past few years in breaches that didn’t result in personal data breaches.

Customer demand for more personalised experiences leveraging technology and data is also growing. A recent poll by YouGov found that only 16% of consumers feel that the brands they engage with understand their needs yet around 70% of consumers feel that the processing of their personal data by business is immoral. The Adobe Trust Report found that 71% believe that data collected from digital interactions only benefits the company and not the individual. The last Information Commissioner (Elizabeth Denham) focussed a lot on building up trust in the data economy and prioritised this objective throughout, but this will take much more time.

Risk categorisation

As organisations grow, they tend to become more focussed on understanding and managing their risk. They tend to allocate risk into different categories like "reputational risk", "legal risk", "termination risk", "cash flow risk" or "service delivery risk" for example. Data protection presents an interesting challenge for risk managers because an adverse event can lead to multiple types of risk which are not necessarily readily apparent, and which are closely connected to each other to the extent that they are hard to quantify precisely in any single category. Risk can also change over time, and in the realm of data protection, data protection compliance and the risks associated with breaches can evolve over time as well. Reputational risk associated with data breaches, especially in a highly saturated market where competitors are ready to snap up any dissatisfied customers, is on the rise.

Reputational harm can be exacerbated by certain factors. One such factor is brand awareness; the more well-known your brand, the more exposed you are. If your main competition starts or stops doing something and you don't react to that, you might look weak or less cutting edge for failing to adapt in the same way. Changing consumer perception as a result of news articles or high-profile kafuffles can put pressure on entire industries to change the way they operate, and data protection is no different.

The business case

Individuals, be they consumers or employees, are becoming increasingly aware of their rights in relation to personal data. Coupled with the increasingly public nature of data breaches, people are becoming more concerned and placing a greater value on the protection of their data. But every crisis is also an opportunity, and the opportunity to differentiate based on data protection is something that many businesses are looking toward as the next "edge" over their competitors and as a buffer to protect them from the significant fines that could be levied against them.

It is therefore increasingly important to manage risk in data protection and in order to do that, you have to really keep your finger on the pulse of the public and the industry you operate in, but this problem is no longer reserved to just the risk managers of FTSE100 organisations, today data processing is risky business for all businesses of every size but it's also essential to maintaining a competitive advantage in most industries and especially those which are online.


So how can businesses support consumer demand for greater agency over their data and sculpt a more privacy friendly climate for all concerned and help promote positive change?

  • Choice - empower people to tell you what their needs are.

a. Consumers want choices around the data they provide. Don’t make every field mandatory where you don’t have to do that. Let people provide more or less information as they see fit and they will be more likely to provide some data to you rather than no data.

b. Consumers want you to use their data for specific purposes but don't want you to use it for others. Setting up a preference centre may seem daunting, but many CRMs offer this as standard. If you can't offer this to your customers, then someone else will and not to mention the added value of such data in terms of better understanding customer needs! 

  • Confidence - Cut out the sneaky stuff!

a. The Cambridge Analytica scandal showed us that even when you have a privacy notice in place, people will still object to massive scale data scraping, and the reputational harm alone can make it not worth the effort. 

b. Track and trace brought it into the limelight, it's odd for someone to track where you are or where you've been, there's a reason that you usually need a warrant to track someone's location and yet many people volunteer this data about where they've been on the internet without giving it a second thought. 62% of people (according to Cheetah Digital) feel uneasy about targeted ads derived from tracking cookies. 

c. Consumers find it creepy when smart devices listen in on their conversations and then offer targeted adverts to them based on those conversations. This is a simple fix, just ask people for data, don't take it from them without their knowledge. Inform customers so that they are empowered, and the quality of your data will improve. 

  • Transparency - policy policy policy.

a. Not only do privacy policies serve to satisfy a mandatory legal requirement but having policies in place tends to mitigate any potential fine. It is always worth writing down what you are doing and why you make certain decisions when it comes to processing personal data. If in doubt, update your policies, it will very rarely work against you. 

b. The low rates of understanding/knowledge of consumer data protection rights are in part due to the lack of information being presented to data subjects. By having policies in place and providing proper information notices around data processing activities, businesses can have an impact on the level of general awareness of data protection rights. One of the new requirements brought in by the GDPR compared to the previous regime was a requirement to include an explanation of data subject rights in every privacy policy.

By building in data protection by design and default into every new process (as the law requires) businesses can be leaders in this area and can leverage value from offering a better deal to individuals through better use of technology and processes to better reflect the ideals set out in the recitals to the GDPR that underpin much of privacy legislation.

Sam Crich is a Solicitor in our Digital team. If you need legal advice or support on any of the above, get in touch with Sam on 01423 543 115.

speech bubbles

We'd love to tell you more...

We're passionate about supporting digital businesses to thrive - find out how we can help you get where you need to be

Get in touch   right arrow