The eyes of the financial services world are on the EU’s upcoming PSD2 regulations, with many jurisdictions watching how the European market evolves and responds to regulations that support data sharing and open banking, while maintaining data security. But there’s another, less talked-about regulation coming in on the heels of PSD2, and it’s one that Jeff Nicholson, vice president of CRM product marketing at software company Pegasystems, says is a “sleeping giant.”
It’s General Data Protection Regulations (GDPR), and new research released this week from Pegasystems confirms that awareness of the rules is low. That doesn’t mean companies can ignore the need for compliance, however. As more regulations in data protection continue to form, businesses are kept on their toes and respond appropriately to consumers’ control and ownership of their own data.
According to Pegasystems research, only 21 percent of consumers actually know what GDPR is. But when those consumers are informed of their rights to request their personal data from businesses and gain greater control over how those companies use it, 82 percent say they will actually exercise those rights.
“A large number of European citizens are not yet aware of the legislation coming in, and it seems to be a ‘sleeping giant,’” Nicholson told PYMNTS in a recent interview. “It may be lulling some EU companies into a false sense of security because there is not a lot of talk right now. There is a lack of readiness, in many ways, and companies are possibly not taking this as seriously as they should.”
While announcing its own survey, Pegasystems also cited research from Gartner that found more than half of businesses affected by GDPR will be non-compliant by the end of 2018. As Nicholson warned, that includes companies outside of the EU, too.
“This legislation is perceived as an EU-only thing, but that’s not the case,” he said. Any company, whether within the EU or not, that interacts with an EU citizen’s data must comply with GDPR rules. “You’re on the hook,” said Nicholson, and companies need to pay attention.
Risk of Non-Compliance
Of course, the first risk that comes to mind if a business finds itself non-compliant with GDPR is the threat of a fine. Earlier this month, research from insurance company Zurich shed light on this risk for small businesses, many of which must comply with the GDPR’s requirement to have a data protection officer (DPO) on staff who specializes in data security. Researchers found that 85 percent of small businesses surveyed would, indeed, be impacted by GDPR rules in some way, yet 44 percent said they were so far unaware that they would be required to hire a GDPR officer.
Under GDPR rules, fines can reach up to 4 percent of annual turnover, or a maximum of about $24 million. Nicholson said that the fines are issued on a sliding scale based on the size of the company, so SMBs are certainly less exposed to GDPR risks than large corporates – but that doesn’t mean SMBs are in the clear.
“From what we’re seeing, small businesses are less aware [of GDPR],” the executive said. “Though I would suggest that they have less to be worried about.”
Zurich seemed to disagree, warning that a tenth of SMBs hit with the maximum fine for non-compliance under GDPR would be forced to cease operations. However, Nicholson noted that regulators have indicated they will take into account the size of a company and how any fines would impact that firm.
Open To Interpretation
GDPR comes into effect in May, but on top of a lack of awareness about the regulations, Nicholson said that the law is largely one that will be left up to member states’ and corporates’ interpretation of the rules. Even companies within the same industry may be interpreting the legislation differently.
That means, so far at least, it’s unclear how GDPR might impact entrepreneurs, freelancers, gig workers or small businesses that act as the consumer of service providers that manage customer data.
Nicholson noted that the legislative language of GDPR applies only to personal data, not company data. But when a small business owner’s home address is the same as her business address, and when personal credit information is used for business financing purposes, the lines certainly become blurred.
“These things become very intertwined,” he said. “That’s personal data being expressed and, at least in many interpretations, will be applicable under GDPR.”
Lack of awareness and clarity regarding exactly how to interpret GDPR will be a challenge, especially for small businesses that not only store customer data, but that have their own data that may be interpreted as consumer data under the law. That may be all the more reason for companies to listen up and get educated now – because, according to Pegasystems, there are even more implications for companies affected by GDPR.
This includes an impact on the customer relationship and customer trust; Pegasystems research found that business behavior such as robo-calls, marketing irrelevant products to customers or even a poor customer interaction could initiate a customer’s request for data. And whether it’s a small business facing potentially crippling non-compliance fines, or a major corporation that’s suddenly faced with data requests from thousands of customers, the business world cannot afford to ignore GDPR (even if, so far, consumers are).