Many investors may feel they are drowning in an already vast sea of acronyms but GDPR is one you really need to know about. The General Data Protection Regulation is set to be enforced from May 2018, and these new rules have huge ramifications for every company listed on the stock market, and beyond.

GDPR is a new set of laws designed to instil greater accountability and transparency over the collection and use of personal data of EU citizens. The rules protect data such as name, location, identifying numbers, IP addresses, cookies, and RFID (radio frequency identity) tags, as well as sensitive personal data such as health information, genetic and biometric data, race, ethnicity, political opinions and sexual orientation.

Why it matters to investors

Outside of the obvious preference for some personal data to remain secure, there are also massive financial implications for organisations because of the stiff financial penalties of non-compliance. Fines could hit 4% of revenue, sums that have the potential to do serious damage to a company’s earnings and therefore damage their share price and the value of shareholders’ portfolios.

An illustrative example is TalkTalk (TALK). The broadband and phones business was targeted by hackers in October 2015 and its response was widely criticised as a case study in what not to do.

When clients ask how to respond to a hacking attack, Ian Mann, chief executive of cyber security consultancy ECSC (ECSC:AIM), says he tells them to ‘do the opposite of what TalkTalk did.’

Costly ramifications

In the wake of the attack TalkTalk was reported to have lost around 100,000 customers and incurred substantial brand damage. Shareholders were dealt the additional blow of watching more than £650m wiped off the value of TalkTalk shares in the following weeks.

The company was fined £400,000 because of internal failures, but it could have been much worse had GDPR rules been in place then. Manchester-based IT security consultancy NCC (NCC) estimates that a GDPR-based fine would have come in £36m, a figure that would have wiped out the company’s £14m pre-tax profit reported for the full year to 31 March 2016 twice over.

Fines handed out to UK companies by the Information Commissioner’s Office (the UK’s data watchdog) in 2016 totalled £881,000. NCC estimates that under GDPR that figure would have hit £69m.

NCC boss Rob Cotton is one of many industry voices to have been calling for organisations to take cyber security more seriously for years. So has Peter Yapp, a deputy director of the UK’s National Cyber Security Centre (NCSC), a government advisory organisation. ‘Board level buy-in’ has been one of the biggest impediments to businesses adopting Cyber Essentials, a government-sponsored badge system to help organisations assess their cyber hygiene. Implementing Cyber Essentials ‘will stop 80% of attacks,’ says the NCSC’s Yapp.

Brexit won’t affect GDPR, for now

The timing of GDPR might appear odd given the start of Brexit talks with EU partners this week, which may call into question its relevance in the UK for the long haul.

‘Our research shows that many companies remain significantly unprepared for GDPR,’ explains Peter Roe, analyst at the TechMarketViews website. Many UK businesses are thought to have put GDPR planning on the back burner, mistakenly believing it would no longer apply to them once the UK left the EU. In reality, the UK will remain part of the EU for some time beyond GDPR’s implantation.

Many organisations are now in a race against time to meet the May 2018 deadline, and many complex problems will need to be solved, with ‘customer data spread among many disparate databases,’ says Roe.

‘Institutions will find it very difficult, and expensive, to coordinate all this data and to be able to guarantee its integrity, security and, if required, its complete deletion. Much work still needs to be done, in less than 12 months, to provide the necessary systems and governance.’

For investors, assessing a company’s GDPR-readiness and compliance is yet another important consideration when judging a company as a potential or ongoing  investment. (SF)

‹ Previous2017-06-22Next ›