We look back on two years of GDPR and celebrate the positive impact on software development.
Happy birthday GDPR! 25th May marks two years since the General Data Protection Act (GDPR) came into force in the EU. Impacting businesses not only in Member States but also those that handle or collect data related EU citizens, GDPR is one of the world’s most robust privacy and security laws.
It sounds pretty ominous – so it’s no wonder that many businesses were worried before its introduction in 2018. One report from 2017, for instance, found that 86% of firms were concerned that a failure to adhere to GDPR could have a major negative impact on their business. One in five feared that non-compliance would put them out of business.
The challenges of GDPR
The fear for many of these companies was probably justified. Marketers have been using consumer data to improve online experiences and personalise communications for years. However, from a cybersecurity perspective many have been doing so rather recklessly. Data has existed in siloes, and stored, shared, edited (and gathered dust) across multiple digital applications, networks, and on paper in filing cabinets. Rules on access and use of this data were lax and those who suffered – either through data breaches or annoying bombardments of marketing emails – were consumers.
Overhauling these systems, adopting new technologies, consolidating data and ensuring it is strictly managed will have seemed like mammoth tasks to businesses.
However, while some firms might have been worried about being able to stick to GDPR’s robust rules, regulators were probably also pretty worried about other firms that weren’t even aware of the rules. Yep, in addition to a climate of fear, there was also a general lack of knowledge of the general data protection regulation. A report by NTT Security, for example (again, conducted before implementation), found that half of European companies were seemingly unaware of GDPR’s implication. The least GDPR-ready was the UK, with only 39% of companies here identifying the law as a compliance concern.
The biggest fines for GDPR breaches
Whether through lack of preparedness or the growing sophistication of hackers, in the two years since the legislation came into force, a number of big businesses have taken big financial hits. These include British Airways and Marriott, with the Information Commissioners Office (ICO) announcing fines of £184.4 million and £99.3 million, respectively, for data breach related violations. These companies didn’t just suffer financially – exposing the payment, log-in, travel and personal details of their customers also severely tarnished their reputations.
Those figures are pretty substantial, but it’s the number of customers impacted that businesses really need to be aware of. When credit report company Equifax suffered a data breach, for example, it was reported that 143 million customers could have had their data compromised.
This may all sound pretty grim, but we opened this blog with a ‘happy birthday GDPR’ – and it’s a happy birthday for a reason. The lead up to 25th May 2018 and the grace period following gave many businesses the opportunity to re-evaluate how they store, share and manage their customers’ and employees’ data. Until then, many businesses – especially SMEs – may have made do with legacy database systems. These might not have been the most secure, streamlined, or effective, but they served a purpose.
The positive outcomes of GDPR
GDPR has forced positive change. Business leaders can no longer afford to be complacent. Instead, data security and solid data management must be built into every platform update and application build. At AppDrawn, we build it into every system we design, from customer portals to SaaS product development and business dashboards, with any data migration underpinned by strict security practices. We also help to ensure that those using the platforms we build have a clear understanding of privacy and GDPR.
One of our clients relies upon advertising revenues, for example, so good user metrics are really important to their business and to their sponsors. We worked to ensure that end-users of their portal were clear on consent regarding their data, and the benefits that were available to them. In this case, the end-users were largely from enterprise business background so would typically have a pretty sound comprehension of privacy and GDPR. But this isn’t always the case. Another client wanted to launch an app in an exclusively consumer space, and neither the client nor their end-users were very familiar with GDPR. In this case, we provided simple guidelines so that all parties were clear.
We design and build bespoke applications – which includes tailoring data privacy and security to the needs of our customers and their end-users. In every project, it’s hugely important that we understand what GDPR actually means in practice – and what it means for that particular client – which enables us to deliver the right-fit solution. So, happy two years of GDPR and, with the right approach to application development, we look forward to many happy years ahead!