INVESTING

Navigating GDPR – threats and opportunities

Harriet Parker

Harriet Parker, Investment manager, Liontrust Asset Management

As more of our lives are carried out online, protecting personal or corporate data from theft continues to offer opportunities for investment.

Harriet Parker

Harriet Parker

Several businesses are finding better ways to protect this growing area of the economy and Enhancing digital security has been a key theme across our Sustainable Future funds for many years. This theme is becoming ever-more important with a number of high-profile breaches recently leading to growing concerns about how personal data is managed and the new European General Data Protection Regulation (GDPR) coming into force on 25 May this year. This requires companies to prove they understand where data is held and who has access to it, and also introduces stricter rules on security and processing.

From a scale perspective, it is important to note this regulation does not just apply to EU businesses but to any company holding European data – and the penalties for non-compliance are considerable, with fines up to €20bn or 4% of revenue, whichever is higher.

Key requirements under GDPR:
Increased rights for data subjects, the right to “be forgotten” and data portability
Software developed with security in mind (privacy by design and by default) 
Pseudonymisation or encryption of personal data
Secure processing of data 

Initial research from Ernst & Young suggests that half of relevant companies will not be fully compliant with requirements by the deadline, suggesting the regulation should be a catalyst for higher IT spending in Europe over the long-term.

Areas set to benefit include vulnerability management, security analytics, identity and data protection technologies, and storage software.

Although we see many organisations allocating additional spending to comply with GDPR, a good proportion of this money looks set to be channelled towards external advisory services, benefiting companies with greater involvement in this area. But if half of companies are not yet prepared, we believe there could also be an upsurge in demand for cyber security products.

Our GDPR focus is twofold: we continue to look for businesses benefiting from the Enhancing digital security trend but as many of the companies in our Funds have to comply with the regulations, it has also become a key engagement issue.

Initial research last year showed corporate disclosure on this issue was limited and we continue to assess the level of preparedness among our holdings. Smaller companies with fewer resources could be at significant risk, for example, given the potential fines and loss of consumer trust.

In the lead up to the GDPR deadline, we have been investigating other opportunities among the growing number of companies innovating in the digital security space. This spans a broad range of businesses, involving analysis of vendors, master data management (MDM) companies and larger systems integrators and consultants with a high percentage of revenues coming from products exposed to digital security growth.

Current holdings with exposure to this include pure-play security software providers such as Sophos in the UK and Splunk in the US.

Sophos provides information technology security and data protection products, offering protection against viruses, malware, spyware, intrusions, unwanted applications, spam, policy abuse and data leakage. Splunk develops web-based application software that collects and analyses data generated by websites, applications, servers, networks and mobile devices and its products can be used alongside traditional digital security products to better assess threats, incidents and responses.

We will watch the impact of GDPR in the months after May with interest: when similar rules came into force in the Netherlands, for example, there were over 1,000 breaches in the first 100 days. It will be here that we get to understand how well companies have prepared. As a digital security expert said to us recently: “You’ll never know when you’ve overspent on security, but you’re sure to find out when you haven’t spent enough.”

To Top