Connect with us
Finance Digest is a leading online platform for finance and business news, providing insights on banking, finance, technology, investing,trading, insurance, fintech, and more. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.


Yves LeRoux, Co-Chair of the (ISC)2 EMEA Advisory Council (EAC).

Yves LeRoux

Yves LeRoux

Instead of promoting themselves via email campaigns, Wetherspoon’s will advertise its offers on its website – a significant move for a company that as of 2015 used email as a marketing method for at least 656,723 of its customers. Many in the media suspect fear of the upcoming General Data Protection Regulation (GDPR) and its strict data compliance laws has steered Wetherspoon’s decision.

It’s an unprecedented, if not altogether unsurprising move as one of the requirements of GDPR is that, even if a company obtains customer consent to use their personal data, that data cannot be processed or used for any other purpose other than that for which consent was given. If they wish to do so, they must state how the data will be processed and for what purpose, when obtaining consent. This will help ensure, for example, that if a customer permits Google to use their browsing data to personalise their search results, they won’t subsequently receive an unwanted text from another company using their search history to sell them a product. A worthwhile regulation that will protect the rights of individual citizens in a digital age. However, for a data-driven economy that depends on our ability to find new ways to extract value from masses of user information, the potential implications are worth considering.

Both the United Kingdom and the European Union have encouraged and embraced the data-driven business model. Everything from smart products and services, such as travel apps that generate personalised routes through to the use of algorithms and machine learning to predict consumer behaviour, depends on the ability of businesses to harvest, analyse and share vast amounts of data, some of it now considered personally identifiable under GDPR. The UK government’s 2017 Digital Strategy points out that the UK is a global leader in “opening up public datasets to drive… business growth” and has created an “innovation environment that has fostered many successful data-driven companies.” Importantly, the government notes that the success of Britain’s data-driven economy derives from the fact that the “lower costs of collection, storage and processing – coupled with rising computing power – are making this data a rich, raw material.” However, GDPR will dramatically shake-up this model.

GDPR will inherently increase the cost of collection, storage and processing the data, as companies will be required by law to obtain explicit consent from every data subject, not just for new data, but for all data collected in the past. Critically, harnessing rising computing power to extract commercial value from data often depends on the ability of organisations to make their data available to others for analysis. Companies will now have to obtain explicit consent for this profiling to take place if it is to involve any personally identifiable data or the profiling itself could make a subject identifiable.

Overall, the regulation will increase the costs and risks of storing personal data. As is already suspected with Weatherspoon’s, many businesses could simply erase any ‘dark data’ (data of unknown value). As the deadline for GDPR implementation looms, there is the possibility that companies could delete far more of this than is necessary, dramatically shrinking the data pool that is essential to fuelling our digital economy. Billions of pounds’ worth of valuable information could be lost forever before its economic benefits have been fully realised. What’s more, companies could become reluctant to share their consumer information with third parties for analysis, inhibiting their ability to extract value from data.

In order to avoid killing off big data entirely, it is essential that companies look at GDPR not as a tyrannical enforcement, but as an opportunity to become more informed about the data they hold and its value. Organisations must use GDPR as the spur to do a thorough ‘stock-check’ of all their data, instead of simply mass deleting their data archives. A thorough data audit may reveal information that warrants the effort of obtaining consent to use.

Regulators should take account of the scale of the task involved in compliance and the level of progress to date, recognising that it may well be in the public interest to show lenience to companies, particularly if they are making a genuine effort to comply.

It’s a daunting task for many companies trying to achieve full compliance within the required timescale. In establishing a GDPR Task Force, the (ISC)2 EMEA Advisory Council has worked to accumulate the experience of those of our members who are working on the front line of compliance across Europe, and outside it. It’s clear from their reports that many companies are only just getting to grips with the task. The Task Force has worked with these professionals to develop 12 areas of activity and related tasks that serves as a high-level overview of the work required, including who needs to be involved.

The Task Force’s reports have truly highlighted the immense efforts companies are undertaking to comply. One participant told us they had 10-20 people dedicated to achieving compliance with GDPR; another medium-sized company estimated 36 full-time equivalents and none have reported feeling that they had adequate resources. Many businesses face a variety of challenges, from managing employee policies around downloading data onto personal laptops and devices, to securing consent for historical personal data obtained in non-digital formats.

Adding to the challenge, guidance on many aspects of the legislation is still being issued by governments across the region, demonstrating the enormity of the task of compliance. Last month, the Danish government issued a staggering 1,500-page report to help firms comply with the law.

We would hope that enforcers will acknowledge all of this, despite current reports of regulators now hiring extra trial lawyers and enforcement officers in anticipation of the law coming into force. GDPR has the real potential to help businesses navigate the minefields of data they hold and encourage more responsibility in its management. Unduly harsh action could hamper a prospering data-driven economy in Europe.

Continue Reading

Recent Posts