In recent weeks, most of us have been deluged by a flood of emails asking if we’d like to stay in touch with a certain company or charity. That’s because on 25 May, the European Union’s General Data Protection Regulation (GDPR) came into effect. The basic idea is to create one set of rules to modernise data privacy laws across European member states, currently including the UK.
‘Personal data’ includes names, addresses, location data, phone numbers and IP addresses, as well as ‘factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’. This includes biometrics such as face, fingerprint and iris recognition, and genetic information. So, in other words, it includes any kind of personal data that can be used to identify you, even if the company doesn’t have your name or address.
GDPR affects the way any company or organisation (and especially those with over 250 employees) gathers, processes or stores the personal data of EU citizens. Companies who fail to comply and breach the new regulations can be fined up to 4 per cent of their global annual turnover or up to €20 million (£17.6 million).
UK citizens welcome their new privileges and protection, according to a survey from data management company Veritas, and 40 per cent of people plan to request access to the personal data a particular company holds on them. The survey shows people are most likely to request data from financial services companies, including banks and insurance companies (56 per cent). They’re also likely to request data from social media companies (48 per cent), retailers (46 per cent), former, current and potential employers (24 per cent) and healthcare providers (21 per cent).
It’s not surprising that following events such as Facebook’s data breach and the US election controversy, the spread of fake news from Russia and the rise of online fraud in the UK, people are taking much more of an interest in the way their data is used by various businesses. ‘With a flood of personal data requests coming their way in the months ahead, businesses must retain the trust of consumers by demonstrating they have comprehensive data governance strategies in place to achieve regulatory compliance,’ says Mike Palmer, executive vice president and chief product officer at Veritas.
The survey found that key drivers for people who decide to exercise their rights include respondents not feeling comfortable having personal data on systems that they have no control over (56 per cent of). In addition, nearly half (47 per cent) of respondents will exercise their rights to request personal data and/or have that data deleted if a company that holds their personal information suffers a data breach. Interestingly, a quarter (27 per cent) want to test businesses to understand how much their consumer rights are valued before deciding whether to continue doing business with them.
Testing businesses makes as much sense from the perspective of consumers as it does from that of investors. After all, regulation can affect the way the business you’re investing in operates. William Ball, senior equity analyst at Sanlam UK, argues that the 4 per cent fine could impact companies in different ways. He says: ‘When it comes to significant regulatory change, investors should primarily be concerned with how GDPR may (or may not) change the fundamentals of the businesses they’re invested in.’
One big risk investors should consider when it comes to GDPR is the heavy fines companies could potentially face if they breach the data protection regulation rules. Ball says GDPR could have a significant effect on the advertising and marketing capabilities of businesses.
‘If they don’t get it right, they could be fined up to 4 per cent of annual global revenue. However, the financial incentive to get this right is slightly less significant than for some companies than for others. Compare Microsoft and Equifax – in both cases a fine would amount to approximately 1 per cent of their market capitalisation. Assuming operations in the past fiscal year, the maximum fine for Microsoft amounts to around 10 per cent of their cash flow, but for Equifax it would amount to 43 per cent.’
Russ Mould, investment director at AJ Bell, agrees that the possibility of material fines can affect companies in different ways. He says: ‘This is perhaps most relevant for consumer-facing firms such as retailers, tour operators and leisure companies. It seems logical that they will have a smaller database following the GDPR rule changes, so they will have to try harder with marketing in order to collect customer data or find other ways of getting hold of people’s contacts details, such as email addresses.’
He points out that it will be interesting to see if publishers, as well as advertising agencies or even technology companies such as Facebook and Google (who dominate online advertising) also start to feel the effects of this change in their capacity to advertise digitally.
Nor are they the only businesses likely to be hit. ‘Royal Mail has also suggested it might impact letter volumes due to reduction in direct mail marketing. Pubs group Wetherspoons, which has also closed its social media accounts, chose to wipe its entire database rather than contact people to get permission to keep them on marketing lists.’
But Ball adds that GDPR will ultimately be a good thing for companies, assuming they abide by the rules. ‘It will protect them from future data breaches and, particularly for technology firms, it increases the barriers to entry and costs for new competitors to enter the market.’
This feature was originally published in Money Observer, 8 June 2018: https://www.moneyobserver.com/gdpr-what-investors-need-to-know