On May 25, the European Union’s General Data Protection Regulation takes effect, requiring any business that tracks customer data to revamp how it handles that information. Many companies view the regulations with either denial or outright fear. But the GDPR is an opportunity in disguise.
Though the new rules were hatched in Europe, they apply to any company tracking personal information on European citizens. The potential penalties are huge—as much as 4 percent of a company’s annual revenue could be lost for noncompliance. Despite this enormous risk, only a fraction of firms will be fully prepared by the deadline, according to surveys.
U.S. companies have been especially slow to recognize their exposure. “We call them ostriches,” says Richard Hogg, IBM’s Global GDPR Evangelist, noting the long lead time industry has been granted. “Regulators are expecting companies to be ready. There will be no grace period.”
But, if handled right, the new regulations will both force businesses to get a better handle on their data—which will help them better harness its value and build stronger bonds with their customers—and also make their systems more secure.
“You figure out your data, who has it, and how you’re going to clean it up,” said Dan Kirsch, a senior analyst at Hurwitz & Associates.
“This is a defining moment to build trust,” says Cindy Compert, chief technology officer for IBM’s security team. “Companies that handle privacy mindfully are going to be the winners in this.” For those firms that want to ensure customer loyalty and brand preference, making their practices transparent will likely turn into a competitive advantage.
A new regime
The GDPR replaces Europe’s Data Protection Directive of 1995, when dial-up was still the norm and social media was not even a glimmer in someone’s eye. Varying by country, the old regulations lost relevance in a world in which technology companies built business models on the collection of personal information.
At its core, the GDPR revolves around consent. Consumers will have more say about how companies collect and employ their information. Requests for personal data will be upfront and worded in plain language. Customers, moreover, will be able to more easily withdraw their permission under a “right to be forgotten” clause. They will also be able to request a digital copy of the personal data collected by a company and potentially move the information to another business, be it a bank or insurance company or wireless provider.
On the compliance side, companies will have 72 hours to report data breaches to regulators. Security, experts say, will become a fundamental principle under the new policy of “privacy by design.”
The key to satisfying regulators, says Nick Coleman, IBM’s global head of cybersecurity, will be demonstrating a culture of compliance. It begins, he says, by compiling a complete inventory of company data. “Lots of companies are still trying to figure out where their data is held,” he says. “This is about getting control of it.”
The fines for serious violations are set to balloon to a maximum of 4 percent of a company’s profits, or €20 million, whichever is greater. The penalties have grabbed the industry’s attention, but experts say this is missing the point.
“The mind-set of regulators is less about the big stick in the cupboard and more about building a system worthy of trust,” says Ardi Kolah, director of the GDPR Transition Program at the Henley Business School in London.
Kolah says companies should be worrying more about other hazards of breaking the rules. An EU regulator, for example, can now impose a stop order that freezes a company’s ability to process data. Consumers may also file class action lawsuits against companies suspected of misusing their personal information.
“It’s not about sanctions but saving your own skin,” he says. “Some clients say they will just pay the fines, but you can’t put a price on reputation.”
A wake-up call
The new regulation promises to be especially jarring for companies outside Europe. “It’s just now hitting the consciousness of American companies, and they don’t have much time,” says Duncan Brown an executive at International Data Corporation. “If you’re running a hotel chain in California, it’s probably the furthest thing from your mind.”
The process requires a change in mind-set. In fostering the growth of Silicon Valley, the United States largely ceded control of consumer data to technology companies. Europe, by contrast, has a long history of privacy protections.
“When I first came to the United States, I was horrified by the amount of personal information asked of me,” says IBM’s Hogg, who grew up in the United Kingdom. “And once you’ve given it, it’s gone.”
Compert notes that the United States has no universal data-privacy law. “The vast majority of Americans don’t know how much personal data is collected on them,” she says. But the landscape is changing, she explains. Congress, for example, is now considering a national data-breach notification law. A ballot initiative in California would give consumers more control over their online personal information. “American consumers are starting to wake up,” she says. “The huge breaches are causing an uproar over how data is managed, and it all comes back to building trust.”
The new rules present a chance for companies to put data security at the forefront of operations, Kirsch says. Further, for the businesses that meet the new standards, Hogg says, the opportunities to use data in new ways will multiply. Companies, for example, will be able to more specifically cater to their customers with explicit permission.
“It’s not just about responding to their ideals and desires,” Hogg says, “but tailoring and personalizing, or even forecasting offerings for consumers.”
Perhaps most importantly, companies will be forced to develop responsible data policies. “This is about data ethics involving a wider and higher sense of purpose,” Kolah says. “Away from the naked pursuit of profit.”
This article was prepared by our partner, IBM, and edited by Techonomy Media.