Consumer demands for data privacy under the incoming General Data Protection Regulation (GDPR) could cause serious disruption for businesses, according to specialist technology law firm Boyes Turner.
In a risk analysis report on GDPR, the law firm warned that the Information Commissioners Office (ICO) is expected to launch a major PR campaign in early 2018, alerting consumers to their new rights as “data subjects”.
This could lead to class action litigation where consumers feel their privacy rights have been breached, Boyes Turner predicted.
“If consumers are encouraged to take up their new GDPR privacy rights en masse, the impact on a wide range of businesses could be more disruptive than the tech-driven consumer empowerment forced by the likes of TripAdvisor,” said Sarah Williamson, partner at Boyes Turner.
Williamson added that this would impact on supply chains. “GDPR is set to become a huge issue in the supply chain,” she told SM. “If you’re outsourcing data processing services, the imposition of direct obligations onto processors down the supply chain does not exonerate or detract from your liability to your customers.”
The paper also warns that the rise of data processing using artificial intelligence presents a risk to companies. Despite GDPR coming into effect in less than a year, regulatory certainty around the processing of data by algorithms does not yet exist. The ICO has only recently closed a consultation on the subject.
Williamson said: “If robotic decisions about data handling risk breaching GDPR obligations, organisations could be leaving themselves wide open to challenge. With official guidance not available, organisations need to internally test where algorithms could be leaving them exposed to huge fines and business disruption.”
GDPR is due to come into effect on 25 May 2018. It aims to create a single legal framework across all EU member states. The UK will still be included despite Brexit.
The law adopts a risk-based approach to compliance, requiring businesses to take responsibility for self-assessment of the level of risk that their processing activities pose to data subjects.
Top fines for breaches under the European regulations will be as high as €20 million or 4% of annual global turnover – whichever is the greater.
Some companies are so far behind preparing for GDPR that they won’t be fully compliant by May 2018, Williamson warned.
“While some companies we spoke to are well ahead of the game, many have a long way to go,” she said. “Full compliance by May 2018 will simply not be achievable for many.”
Williamson added that companies should view GDPR as an opportunity rather than merely a compliance issue. “It is an opportunity for those who want healthy relationships with customers to adopt a best-in-class, privacy by design approach,” she said. “This must apply up and down supply chains. If your company wants the competitive advantage that goes with this, you’ll need to know that your suppliers are taking the matter as seriously.”