GDPR: Could the threat of harsh fines spell the end of big data?

Yves LeRoux explains why the EU’s upcoming General Data Protection Regulation (GDPR) could lead some firms to delete their commercially-valuable databases altogether.

Instead of promoting itself via email campaigns, Wetherspoon’s will now advertise its offers on its website – a significant move for a company that as of 2015 used email as a marketing method for at least 656,723 of its customers. Many in the media suspect fear of the upcoming General Data Protection Regulation (GDPR) and its strict data compliance laws has steered Wetherspoon’s decision.

It’s an unprecedented, if not altogether unsurprising, move as one of the requirements of the GDPR is that, even if a company obtains customer consent to use their personal data, that data cannot be processed or used for any other purpose other than that for which consent was given.

If they wish to do so, they must state how the data will be processed, and for what purpose, when obtaining consent. This will help ensure, for example, that if a customer permits Google to use their browsing data to personalise their search results, they won’t subsequently receive an unwanted text from another company using their search history to sell them a product.

This is a worthwhile regulation that will protect the rights of individual citizens in a digital age. However, for a data-driven economy that depends on our ability to find new ways to extract value from masses of user information, the potential implications are worth considering.

Both the United Kingdom and the European Union have encouraged and embraced the data-driven business model. Everything from smart products and services, such as travel apps that generate personalised routes through to the use of algorithms and machine learning to predict consumer behaviour, depends on the ability of businesses to harvest, analyse and share vast amounts of data, some of it now considered personally identifiable under the GDPR.

The UK government’s 2017 Digital Strategy points out that the UK is a global leader in “opening up public datasets to drive… business growth” and has created an “innovation environment that has fostered many successful data-driven companies”.

Importantly, the government notes that the success of Britain’s data-driven economy derives from the fact that the “lower costs of collection, storage and processing – coupled with rising computing power – are making this data a rich, raw material”. The GDPR will dramatically shake up this model.

The GDPR will inherently increase the cost of collecting, storing and processing data, as companies will be required by law to obtain explicit consent from every data subject not just for new data, but for all data collected in the past.

Critically, harnessing rising computing power to extract commercial value from data often depends on the ability of organisations to make their data available to others for analysis. Companies will now have to obtain explicit consent for this profiling to take place if it is to involve any personally identifiable data or the profiling itself could make a subject identifiable.

Overall, the GDPR will increase the costs and risks of storing personal data. As is already suspected with Weatherspoon’s, many firms could simply erase any ‘dark data’ (data of unknown value).

As the deadline for GDPR implementation looms, there is the possibility that companies could delete far more of this than is necessary, dramatically shrinking the data pool that is essential to fuelling our digital economy. Billions of pounds’ worth of valuable information could be lost forever before its economic benefits have been fully realised.

What’s more, companies could become reluctant to share their consumer information with third parties for analysis, inhibiting their ability to extract value from data.

In order to avoid killing off big data entirely, it is essential firms look at the GDPR not as a tyrannical enforcement, but as an opportunity to become more informed about the data they hold and its value.

Organisations must use the GDPR as the spur to do a thorough stock check of all their data, instead of simply mass deleting their data archives. A thorough data audit may reveal information that warrants the effort of obtaining consent to use.

Regulators should take account of the scale of the task involved in compliance and the level of progress to date, recognising that it may well be in the public interest to show lenience to companies, particularly if they are making a genuine effort to comply.

It’s a daunting task for many companies trying to achieve full compliance within the required timescale. In establishing a GDPR Task Force, the (ISC)2 EMEA Advisory Council has worked to accumulate the experience of those of our members who are working on the front line of compliance across Europe, and outside it.

It’s clear from their reports that many companies are only just getting to grips with the task. The Task Force has worked with these professionals to develop 12 areas of activity and related tasks that serve as a high-level overview of the work required, including who needs to be involved.

The Task Force’s reports have truly highlighted the immense efforts companies are undertaking to comply. One participant told us they had 10 to 20 people dedicated to achieving compliance with GDPR. Another medium-sized company estimated 36 full-time equivalents and none have reported feeling that they had adequate resources.

Many businesses face a variety of challenges, from managing policies around downloading data onto personal laptops and devices to securing consent for historical data obtained in non-digital formats.

Adding to the challenge, guidance on many aspects of the legislation is still being issued by governments across the region, demonstrating the enormity of the task of compliance. Last month, the Danish government issued a staggering 1,500-page report to help firms comply with the law.

We would hope that enforcers will acknowledge all of this, despite current reports of regulators now hiring extra trial lawyers and enforcement officers in anticipation of the law coming into force.

GDPR has the real potential to help businesses navigate the minefields of data they hold and encourage more responsibility in its management. Unduly harsh action could hamper a prospering data-driven economy in Europe.


Yves LeRoux is co-chair of the (ISC)2 EMEA Advisory Council.


Photo (typing) © Adikos (CC BY 2.0). Cropped.
Photo (EU flag) © MPD01605 (CC BY-SA 2.0). Cropped.

  • Tim Turner

    This article is based on a false premise. The GDPR does not require all personal data to be processed with explicit consent. There are six different conditions that can be met in order to make data processing lawful and consent is only one of them. The need to process data in the public interest, in order to meet the terms of a contract, or for the legitimate interests of the business are equally valid justifications. They’re not as straightforward as consent, but it’s completely misleading to depict GDPR as consent-driven. It isn’t, and the Information Commissioner in the UK has already confirmed that this is the case in a blog on their website.