“Back in the early to mid 2000s, we were really getting to grips with the idea that threat matters. We focused on protecting data from a combination of external threat and accidental loss. So we were very resilient and that was the flavour at the time,” he says.
During this time Rapp was on the board of Tech UK, and there was a lot of discussion about ‘data protection’ in Europe, and ‘data privacy’ in the US.
“This was the other side of the coin. It was less about the business protecting the data to protect itself, and more about the business protecting the data to protect the individuals whose data it is.”
Rapp then became involved in various working groups that were discussing the General Data Protection Regulation (GDPR). As the world began to wake up to a new era of harvesting and protecting data, Rapp started writing about the subject.
He quickly decided this was a more interesting field. “Information security had become a very technical but also a slightly weaponised discipline, full of former military people who run around shouting acronyms at each other.”
As he explains, “You're in a constant war with the bad guys, and the bad guys have more resources than you – it’s slightly soul-destroying. Because obviously, for the bad guys, that’s their job. They are a well-resourced industry. For you, even as the cyber people inside a bank, banking is fundamentally the job.”
Rapp began to look at data protection in more depth, gaining various professional accreditations in the field. He sold his managed service provider business and built a new company that treated data protection as a serious and practical discipline.
“What’s interesting about the space that we're in, is that, effectively, it has three competing groups of service providers, but it’s still predominately done in-house. Most organisations despair that they have to do this privacy thing because of the GDPR. They think the GDPR is what privacy means. Whereas, in fact, it's broader than that.”
Rapp describes an ecosystem where companies hire an individual and make it their job to ‘go and fix this problem’ – a near-impossible task.
Rapp says, “Our job is to take an organisation through the privacy maturity journey, so that they actually have privacy embedded operationally in the business, and are properly compliant in the sense of keeping the regulator happy.
“But more importantly, the organisation bakes in this idea of facing the data subject properly and treating the data as if they were stewards of it rather than owners.
“That has a number of consequences. But the main two consequences are they get a better reception from regulators and reduce their regulatory risk, and they get a better reception from data subjects.”
When it comes to those data subjects, Rapp explains that a significant number take their data privacy seriously. “The basic finding from recent research we conducted is that about 40% of people have often made a purchasing decision with privacy as a material component. There are also those who stop using services they've previously used because they find out how their data will be used. You can use privacy to press a commercial advantage.”
Data protection comes with significant regulatory risk, and it’s a complex topic. “The world isn’t the GDPR and that’s it. There are 137 countries that have data protection regulations, but the GDPR only has a bearing on about 40 of them, even if you include the adequacy countries. So approximately 90 countries are actually doing this themselves.”
And data protection rules can even differ within a country itself. In the United States, five states have their own data privacy regulations. Data protection is complicated, and it’s extremely critical to get right.
We asked Rapp what this means for corporate finance professionals, like our audience.
“I think if you're a CFO, you're going to carry the responsibility,” he says. “You have to understand whether the budget you've set aside for appropriate controls and risk treatments is sufficient to mitigate the risk that you face down to an acceptable level.”
In his experience, companies are not pricing the risk adequately. As a consequence, they are underspending – or worse, they’re misspending. He explains there are companies who are spending a lot of money on data privacy, but not achieving a great deal. He acknowledges that there are people out there who are getting this right, but they are a minority.
Although many companies are aware of the severe consequences for data protection breaches, Rapp feels they often view them as a kind of empty threat.
“The scale of fines – particularly in Europe – is gargantuan. You’re talking about a 4% of global turnover fine for a bad breach of the GDPR. You've now got the potential 6% of turnover fine – added on to the 4% – if you breach some of the new issue market regulations or the new AI rules. But these haven’t happened yet, and so everyone’s gone ‘Ha! It’s not real.’”
But Rapp is concerned that this a dangerous misconception.
“Regulators move very, very slowly. They do a lot of work in the background – quiet conversations and shoulder tapping. But the quiet conversations and shoulder tapping are not working. It’s sometimes said that recessions happen ‘slowly, and then all at once’. Well, we are about to be in an ‘all at once’ moment with data privacy.
“There's a real risk of it becoming an existential threat. And it just doesn't feel like that because the tempo of enforcement is so slow. But it's one of those mills that grinds very slowly that can grind very, very fine indeed.”
European pressure groups have been a driving force in firing up the regulators. Austrian privacy advocates NOYB – the non-profit pressure group founded by Max Schrems – filed a complaint with the Irish Data Protection Commission against Facebook, regarding the way Europeans’ data was processed after being transferred to the US.
The initial case was brought in 2013. The final judgement was issued in July 2020, agreeing with NOYB. It found that US data protections did not provide protection equivalent to that of the EU – potentially making data transfer to the US unlawful.
Rapp considers the US to be the most challenging region for data privacy professionals – but notes it is gradually becoming more aligned with an emerging global consensus on privacy standards.
“Historically, the US approach to privacy has been fragmented and very complicated. But several things have changed. There have been changes in posture by the Federal Trade Commission (FTC), which is the primary enforcer of privacy outside of financial services.
“Five states have now passed principles-based data privacy legislation. There is a federal data protection bill in front of both houses, with bipartisan support. This is also part of the manoeuvring around trying to enable data transfers from the EU to the US. The US recognises the risk of losing that market.”
Rapp is clear about the importance businesses should be placing on data protection.
“If I were the CFO of a company that was significantly dependent on the processing of consumer personal data, I would want to push this up my agenda,” he says. “I would make sure it's a board-level concern, to reflect the fact that increasingly my consumers are younger people, who are much more alert to this kind of thing. They care much more about ethics and purpose, and this fits very neatly into the privacy sphere.
But it’s not just customers that businesses need to be concerned about. They also need to consider their employees, who will include similarly privacy-aware individuals.
“There’s a lot of employee data processing that goes on,” he says. “A big part of our work is dealing with employee privacy. We mostly deal with very large organisations that have hundreds of thousands of people globally. And there's an awful lot of personal data in relation to their staff circulating around. For example, psychometric testing data, which is pretty sensitive stuff, moving through six or seven jurisdictions before it ends up going back to the country it first started.”
It’s easy for companies to get complacent and treat data protection regulators as being similar to regulators in other areas. “The old-school attitude of ‘a fine is just the cost of doing business’ just doesn’t fly – partly because of the power to shut you down, and partly because your consumer customers will care.”
Another pitfall to avoid is taking a narrow view on what exactly constitutes a data breach. Many companies focus on the external risks from cybercrime such as data theft or ransomware. But data breaches are not just bad actors stealing data from your company – in fact that’s a minority of cases.
“Confidentiality breaches tend to be inadvertent misuse, or often, incorrect destinations. For example, ‘I forwarded this to the wrong person’, and ‘I left it on the train’. There was a case in Japan, where somebody lost an entire prefecture’s universal database of citizens because they left it on the train.”
A better way to look at data privacy is through the lens of ‘data abuse’ – misprocessing data, and using it in ways that are not legal. Rapp points to Italy and Spain as examples of countries where the data privacy regulators are concerned about data abuse.
“This is something that we think people don't look at enough. They spend far too much time looking at German, French and Irish regulators, as well as the US and the UK. But the enforcement tempo in Spain in particular, is much higher than it is inside the UK or Ireland. They're carrying out more than 50 enforcement actions per quarter, compared to an average of one or two in the UK or Ireland.
“If you're British, French or German – or in the US – I don't know whether you’re looking at the scale of the fines being levied by the Garante in Italy. But I think if you're an Italian CFO, you've probably woken up.
“The reality is that the risk of fines is real, and growing. It’s a ticking time bomb.”
Rapp’s final piece of advice: “The first thing is to make sure that you're doing privacy governance properly. You sit on the board. You are ultimately responsible for stewardship of the money. Make sure that you are asking the right questions internally, and that your privacy governance reports actually address the risks that are out there.
“Make sure that you understand the breadth of privacy regulation. Understand it is not just about protecting data against breach of confidentiality to third parties. If you make that mistake, and are driven by your overfocus on cyber risk, then you're massively underestimating the other risks that we face.
“The second thing is – and this is transparently commercial – get yourself benchmarked. Understand where you sit versus best practice, versus the competition. You do this in every other area. There is a real reluctance, I think, to go outside the organisation. But you need that outside view. You need that extra horsepower.”