Described by some as the “new oil” for the digital economy, there is no doubt that data are now seen as critical for organisations to succeed. Data affect all businesses and industries, and dealing with data is an issue for the whole business as it affects every team within an organisation.
Data as a core asset
It is fair to say that there has been a real shift in the market regarding data over the last few years. The rapid emergence of new innovative technologies and the digitisation of businesses have enabled greater collection of data and, crucially, the ability for organisations to better interrogate and analyse that data in order to drive business and extract value.
In turn, the commercial value attributed to data has increased dramatically as organisations strive to use their data to predict and respond to customers and market influences in ways that were not previously thought possible.
It is therefore no surprise that data are starting to become the cornerstone of an organisation’s strategy and one of the most effective tools with which to build a new information-driven business model and through which to help a business grow.
However, attributing a value to that data is less clear cut for a number of reasons. Data tend to generate value indirectly, with their power harnessed by the technological tool through which they are processed. There is also not necessarily a correlation between the volume of data and their value. The disruptive effect of data therefore forces reassessments of traditional notions of trade and economic exchange.
The value of data has also sparked new global trends in mergers and acquisitions as companies look to buy other companies simply to ensure access to this valuable asset or to the underlying technology to realise that value.
Regulatory balancing act
There is, however, a sting in the tail. Just because technology unlocks new opportunities for organisations to innovate, it does not mean that the law will allow it. The use of data introduces significant new risks and challenges for a business to navigate within the relevant regulatory landscape. These are amplified by the scale of big-data-related activity and the potential intrusion and harm to individuals. It is therefore unsurprising that data have caught the attention of various regulators.
The tension between innovation and regulation is not easily resolved, and balancing the two concurrently is something that regulators have been grappling with and will continue to do so. As ever, technology and innovation are evolving faster than the frameworks to regulate them. The increasing pervasiveness of technology is mapped by a corresponding rise in the relevance of, in particular, data protection, privacy and cyber security regulation.
Only time will tell where the balance sits in the regulatory tug of war, however, regulatory considerations remain key when developing any commercial strategy around data. These considerations go beyond just specific data protection legislation (including, for example, competition law and any overlap with sectoral regulation).
Data protection regulation is the first place to look when navigating data regulation. Given that the current EU Data Protection Directive (95/46/EC) was first established in 1995, the existing regime was ripe for reform and the General Data Protection Regulation ((EU) 2016/679) (GDPR) was the tool to tackle it. From 25 May 2018, the GDPR will apply instead to all organisations established in the EU or offering goods or services to individuals in the EU or monitoring their behaviour.
The GDPR provides an enhanced compliance framework and seeks to give individuals genuine choice and ongoing control over how their data are used. This is twinned with a technology-neutral approach and express provision for some of the novel concepts associated with the use of data, for example, profiling and automated decision making.
The key to GDPR compliance is not just in satisfying a checklist of requirements; it requires a business-wide effort to change an organisation’s attitude and operational approach to data protection, privacy and cyber security compliance, as well as the way in which compliance pervades an organisation.
The increased sanctions regime under the GDPR has no doubt been a major catalyst in forcing organisations to focus on data protection and cyber security risk management. It is also a primary reason that data protection and cyber security have been elevated to board-level issues in the last 12 to 18 months. With maximum fines of up to €20 million or 4% of annual worldwide turnover, whichever is greater, for certain breaches, the current monetary penalties of up to £500,000 under the current Data Protection Act 1998 (DPA) pale into insignificance.
Businesses can take some comfort from the fact that the Information Commissioner’s Office (ICO) has indicated that issuing fines will continue to be used as a last resort and top-level fines will not become the norm, in line with current practice. However, the prospect of the new penalties gives rise to a very different risk assessment for organisations. In addition to financial penalties, organisations also need to consider the equally significant risk of reputational damage for getting it wrong.
A successful GDPR implementation programme is therefore not simply a static strategy in the domain of a legal or compliance team; it is an evolving exercise and requires engagement from a range of business functions across an organisation, such as IT, cyber security, HR, compliance and procurement to name but a few. Oversight and buy-in from senior executives, governance, training and ongoing review will also be fundamental to building a culture that ingrains privacy and the new principles into the fabric of an organisation and its overall strategy.
As well as the challenges that the GDPR brings, a well-run GDPR programme also brings with it opportunities beyond simply achieving compliance. It goes without saying that it can build customer confidence, and improve internal data handling.
The GDPR is also an opportunity to consider a broader data transformation that could benefit a whole business by streamlining existing data management platforms to add value and lower cost as well as bringing greater flexibility to be able to respond more readily to any future regulatory changes.
In turn, this enables an organisation to better use its data and better engage with the new and exciting opportunities that emerging technologies will continue to generate.
With increased outsourcing to the cloud and other external third-party hosted services as well as an increasingly complex supply chain for businesses, strategies for leveraging data also give rise to potential vulnerabilities and a range of risks that need to be understood and mitigated, particularly in the context of cyber security.
The GDPR introduces a new requirement for all controllers to notify the appropriate data protection authority, for example, following a cyber attack involving personal data. This marks a significant change from the present regime where notification to the ICO is not mandatory, although the ICO encourages notification for serious breaches.
Along with the increased sanctions, mandatory reporting is intended to act as an incentive to invest more time and resources in cyber security and IT resilience.
The rise of intelligent technologies also provides employers with increasingly sophisticated ways to monitor their employees. No longer are employers focusing solely on equipment and data loss prevention, for example, by installing CCTV to monitor who accesses confidential materials; they now have the ability to monitor and analyse employees’ communications, professional performance, and even their health and lifestyle choices.
Employee monitoring policies can often be vague, alluding to a broad right of the employer to monitor and intercept employee communications without providing specific scenarios or details of safeguards. The DPA contains relatively few provisions regarding employee monitoring.
However, recent case law developments (particularly the recent decision by the Grand Chamber of the European Court of Human Rights in Barbulescu v Romania (61496/08)  ECHR 742), together with the focus on transparency that will come with the GDPR, should give employers pause for thought; not only will they need to be far more explicit about the employee monitoring they undertake, but they may find it tougher to justify certain monitoring activities.
Employers therefore need to be smart about workplace monitoring (including more advanced forms of monitoring, such as profiling and automated decision making).
Big data getting bigger
It remains to be seen whether the GDPR successfully brings the EU data protection framework up to date with our digital era. However, one thing is for sure; with big data only getting bigger, steering a course through the regulatory challenges will remain key.
For more detail of the issues discussed in this blog post, see the feature article Data use: protecting a critical resource.
For more information on the GDPR, see EU General Data Protection Regulation toolkit.
For more information on cyber security, see Cybersecurity toolkit.
For more information on employee monitoring under the GDPR, see Processing employee data under the GDPR (UK): checklist.