By Paul Gillin, Senior Contributor, Connected Futures
It’s time for corporate executives to understand and act on the European Union’s General Data Protection Regulation (GDPR). Why? Because it could be the vehicle driving them on their journey to digital transformation.
But that’s only if organizations respond quickly to become compliant.
GDPR goes into effect May 25, 2018, and is composed of the most stringent set of personal privacy regulations ever assembled. It also promises to affect organizations thousands of miles away from the European continent.
This new regulation replaces the current patchwork of national laws with a single set of rules. GDPR gives new rights to EU citizens about how their personal data is kept and used, the ability to see what data is being kept about them, and the right to withdraw consent under a provision popularly known as the “right to be forgotten.”
What’s particularly caught the attention of C-suite executives is the law’s seemingly onerous penalties. Companies can be fined up to €20 million, or 4% of global sales, for each violation. A single penalty could put many companies out of business.
One recent study in the U.K. warned that the Financial Times Stock Exchange (FTSE) 100 companies could face fines of as much as £5 billion each.
Fortunately, most experts don’t expect that organizations will be hit with heavy fines for minor violations. “Everything about the current regulations is based on the seriousness of the breach. I’m a firm believer that there would have to be a similar approach” to GDPR enforcement, said Darron Gibbard, former head of risk and information security services at Visa Europe Ltd.
He thinks it’s more likely the EU will establish a sliding scale of fines based upon the number and severity of violations. “I think [the penalties are] more about fear and forcing organizations to take privacy more seriously,” he said.
Organizations that take a proactive approach to compliance can actually find multiple silver linings in GDPR’s dark cloud. Among them are the opportunity to clean up entrenched data quality problems and put governance procedures in place. Those two actions could yield great benefits including reducing costs, improving responsiveness, and protecting against a growing wave of cyberattacks. GDPR may even enable the groundwork for digital transformation.
Understanding the opportunities in GDPR starts with clarifying the numerous myths and misconceptions about it:
Myth 1: The regulation applies only to organizations that have a physical presence in Europe.
Reality: The law covers all EU citizens, regardless of where they are located. That means nearly any company of substantial size is subject to GDPR.
Myth 2: Personal data collected before the regulation goes into effect is "grandfathered" and doesn’t have to be protected.
Reality: All personal data is subject to the new rules, regardless of when it was collected.
Myth 3: GDPR standards don’t apply to all customer data. Records that are relevant to an ongoing relationship – such as an existing contract or service-level agreement – can be retained as long as the agreement is in effect.
Reality: GDPR’s impact will be most felt in sales and marketing organizations, which gather data about people who don’t have a business relationship with the company and often use it repeatedly for messaging. Under the new rules, consumers must opt in to receive such messages and can opt out at any time.
Getting Your Data House in Order
One of the most immediate benefits of GDPR is simplification. The regulation replaces a complex jumble of 28 different sets of country-by-country regulations with a single set of rules and point of authority.
The regulation is also an opportunity for companies to get their data governance practices in order. Years of siloed processes, acquisitions, and weak or nonexistent data quality practices have left many companies with multiple copies of the same data scattered across the organization.
In the quest for digital transformation, such fragmentation is a liability. GDPR is an opportunity to create a single version of the truth.
“Many businesses are taking this opportunity to find out what data they have, and where it’s stored,” said Gayle McFarlane, a commercial lawyer at Eversheds Sutherland, a global provider of legal services to businesses.
For example, email folders can host all kinds of sensitive information that’s invisible to anyone but the mailbox holder. “It’s not always clear where that information ends up. Now’s the opportunity to pause for thought,” McFarlane said.
“The size and extent of the penalties for non-compliance should offer organizations all the inspiration they need” to perform necessary data cleansing and integration, said Charles King, president of Pund-IT, an IT analyst firm.
In particular, the regulation is a chance to embrace master data management (MDM), a discipline that unifies disparate data about a business into a single, canonical record.
Harmonizing data can yield all sorts of efficiencies. For example, many retail organizations keep multiple stockpiles of the same product because of incompatible stock keeping units used by their suppliers. An MDM process identifies such redundancies. Salespeople who have a single view of all customer interactions can more effectively identify opportunities or solve customer problems. Also, many organizations will unearth data or services they’re paying for but don’t use or need. Taking stock of data provides for “a better understanding of one's business and discovery of irrelevant relationships and expenses,” King said.
Organizations may also discover other issues that have been lurking under the covers, such as failed compliance with other regulations. “Uncovering hidden problems is one benefit of a thorough housecleaning,” King said.
A data audit can also reduce legal liability by enabling companies to discover data that’s still being kept in corporate archives but shouldn’t be. Retaining data on hand longer than is necessary can have adverse consequences in legal discovery proceedings years down the road. Yet, more than four in five information technology decision-makers admit that they keep information that isn’t relevant or useful to the business, according to a study by the Data Genomics Project, which is underwritten by Veritas. GDPR is an excuse to clean house, save on storage, and minimize legal risk.
Information security organizations can use GDPR to get funding and executive attention they badly need to fight the epidemic of cyberattacks, thanks to stringent new disclosure rules. Currently, organizations are under no responsibility to report data breaches, but under GDPR they must notify EU authorities within 72 hours or face penalties. Locking down systems has liability and reputational benefits, but also pays off in customer loyalty.
“The digital economy can only flourish when you [create] an environment in which everyone can easily do business and know their data is safeguarded,” wrote Michelle Dennedy, vice president and chief privacy officer at Cisco.
Less tangible but no less important are the benefits of improved customer trust. GDPR was sparked by growing consumer worries that organizations don’t adequately protect the data they collect about their customers. One U.S. study found that 68% consumers fear that brands put their personal data at risk.
Practicing full compliance – and making sure that constituents know you are doing so – can enhance customer relationships in meaningful ways, said Catherine Tucker, a professor at MIT’s Sloan School of Business.
“If businesses take a narrow viewpoint of ensuring compliance, they will potentially have less useful data and customers who have no reason to trust them, which is a lose-lose,” she said. “But if they ensure that customers feel in control, then those customers may be willing to share even more data. That’s a win-win.”
Eversheds Sutherland’s McFarlane agreed. “The GDPR is set up to ensure that the individuals your business engages with have faith that you are being transparent and honest in dealing with their data,” she said. “Better information management, focused data collection and security can be game-changers in terms of efficiency and productivity.”
So far from being a noose, GDPR can also be a lifeline. Given that the regulation defines the rules of engagement for years to come, acting quickly to become compliant is a sound strategy.