In less than one month’s time financial services companies, along with the rest of the UK, has to deal with the advent of another, equally onerous, piece of regulation: General Data Protection Regulation (GDPR).
Much has already been written about the extent to which organisations are ready to deal with GDPR. With just a few weeks to go until the May 25th implementation date, there is evidence to suggest that a large number of organisations remain blasé and ill-prepared for the requirements ahead.
Even for the many companies who have invested time in understanding the machinations of GDPR, the reality of life after 25th of May is only starting to sink in.
Amongst many in the corporate world, there is a burgeoning realization that the new rights afforded to data subjects are open to considerable abuse.
Under the new GDPR regulation, any EU citizen will be able to request from a company all the data that is being held about that individual.
At present, most companies hold data in disparate databases. Some use outdated email archives to turn all electronic communications into email for storage purposes, while others just take snapshots of social media exchanges.
For many companies this type of malicious weaponisation of GDPR could be much more damaging.Searching for a named person and their associated online identities will involve not just one search but several, possibly tens of searches, to ensure every piece of information is found, right down to a direct message (DM) sent over Twitter.
Even once all the searches are complete it still needs to be correlated to either send to the person and/or determined whether or not it can be deleted, or if indeed another regulation overrules GDPR.
For each request, a company will need to invest a significant amount of time sourcing this data. Failure to respond within 30 days will result in a financial penalty of 4 per cent of revenue or a maximum of €20 million.
Those who are experienced in the world of corporate crises may see the potential for this to be used as an additional weapon by activist stakeholders looking to reprise an organisation.
A sufficiently motivated group will now be able to cause significant financial damage to an organisation through waves of data requests.
Take the recent challenges faced by Facebook and Cambridge Analytica as an example.
Facebook has suffered severe reputational and financial consequences on the back of its failure to meet its users’ desired standard of data protection. Its share price fell as a lack of confidence in the handling of the situation began to worry shareholders.
Perhaps the most publically damaging consequence was the #DeleteFacebook campaign. Launched by activist stakeholders, the campaign resulted in half a million people publically stating that they should delete their Facebook profile.
As the dust settled on the Facebook scandal, reports have suggested this campaign did not have a substantial effect on the total number of Facebook users.
But in a post-GDPR world this situation could have been much more damaging.
Activist stakeholders upset by Facebook’s actions would be able to demand that Facebook provide them with every piece of recorded data from their profile history.
Should Facebook refuse “they must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month”.
Failure to fully comply with the data request result in fines and pressure to upgrade their systems to be able to comply GDPR regulation.
While the financial and administrative burden would likely be bearable for larger firms, for many companies this type of malicious weaponisation of GDPR could be much more damaging.
Regardless of size firms will be forced to respond to a large number of requests within 30 days, taking up vast amounts of resource, whilst highlighting weaknesses in many organisations’ data compliance capabilities.
Under GDPR, companies will have to ensure that their storage and processing of data is as comprehensive and efficient as possible so they can be agile in their responses to requests for data.
With adequate organisation, activists will be able to cause disruption and financial loss to businesses with minimal effort by ensuring that vital resources are redirected into dealing with information requests in order to comply with GDPR.
Defending against this new threat will be challenging. However, by streamlining how data is archived, storing it in its native format and enabling easy retrieval of conversations in context, businesses can counter the threat of this new weaponised regulation.
Shaun Hurst is principal, information governance, for Actiance
