The Very Strong Business Case for Complying With the World's Toughest Data Protection Regulation
For the past year, a global network of Chicken Littles has warned that the sky will fall on May 25, 2018, when the EU’s General Data Protection Regulation (GDPR) takes effect.
We think they need to look at the big picture. The sky isn’t falling. Far from it, in fact. May 25 presents a new day and a new era for U.S. business. Instead of worrying about whether you have to comply, focus instead on the many benefits of complying with gusto.
Because even if this new regulation doesn’t force you to change the way you treat personal data, consumers and strategically minded competitors will. Once they have the ability to choose between a company that’s committed to protecting their data and one that’s doing as little as possible to squeak by, the businesses that treat GDPR compliance as a competitive advantage will come out on top.
Here are a few of the GDPR benefits organizations can look forward to:
Consumers aren’t as naive as those of us in technology and digital governance sometimes think. They know data security is a concern, and they have little patience for companies that mishandle data, as one report made clear:
- 75 percent of respondents said they would stop doing business with a company that suffered a breach because the board hadn’t made data security a priority.
- 76 percent said they would stop doing business with a company that was negligent in handling data.
- 59 percent said they would take legal action if their stolen data was used for criminal purposes.
If you need more evidence of how passionate consumers are about data privacy, look at what happened to Facebook’s stock after the Cambridge Analytica scandal. That also sparked the #DeleteFacebook movement, a rallying cry for Facebook users to delete their accounts. It’s had an impact: Facebook pages for Tesla and SpaceX have been deleted, while Mozilla and some other companies pulled advertising.
The pushback won’t stop with Facebook. Awareness is increasing every day, as consumers’ inboxes fill up with notifications from companies updating their privacy policies.
Better data management
The GDPR gives consumers the right to review their data, correct any mistakes, restrict processing of their data and even have their data deleted. According to one survey, 82 percent of EU citizens plan to exercise those rights.
That sounds like a lot of work, so why is it a good thing?
- Giving customers the right to correct information means your data will be more accurate -- so your forecasting, marketing and other related activities will be more accurate, too. You may have less data, but it will have a higher ROI.
- Collecting data on an opt-in model means that your marketing messages will be going only to customers who really want to hear from you, reducing your costs for services that charge by the user.
- The need to meet GDPR requirements can justify making room in the budget for technology upgrades.
Giving consumers the opportunity to correct their data is also another way to inspire trust. If they believe you care about the accuracy of your data, they’ll be more likely to trust you with it.
Because today’s business models so easily criss-cross national boundaries, even U.S. organizations will need to review their data collection and management practices and provide a justifiable reason for needing each piece of data. That’s a great opportunity to engage in some important conversations about how well your digital practices align with your organizational strategy. In particular, it’s an opportunity to ferret out practices that are no longer relevant -- you just do them out of habit:
- More data means more risk. Every piece of data you collect, store or process becomes a liability if you suffer a breach. Why take the risk for data you don’t need?
- For many businesses, customer data is stored not only in databases, but in spreadsheets, emails, etc. -- and, often, in multiple copies of each. Collecting and storing less data makes it easier to meet GDPR requirements for being able to tell customers what data you have, where it’s located, who has access to it and how it’s used. But it also streamlines your processes, eliminating rework and making data easier to find and work with.
While some organizations may choose to pull out of European markets hoping that they can avoid the costs of compliance, we think that approach is short-sighted. We hope that the conversations businesses will necessarily have around GDPR compliance -- on both sides of the pond -- will lead them to embrace the concept of data privacy as part of their corporate identity. We urge organizations not to see it as a matter of compliance alone, but as an opportunity to transform their approach to customer data for all the right reasons.
GDPR compliance is a competitive advantage
Few consumers need a law to tell them that having more control over their data is a good thing. But awareness of the GDPR will increase as businesses send out updated privacy notifications and news feeds fill up with apocalyptic headlines like “GDPR Doomsday!”
And that means that consumer expectations will change, too. If they know there are things you can do to protect their data and to give them more control over it, and you choose not to, that’s going to hurt you. Here are a couple of ways the GDPR will change consumer expectations:
Consumers will understand the true value of their data. The pearl of wisdom that says “There’s no such thing as a free lunch” has been updated for the 21st century: “If you’re not paying for the product, you are the product.”
Today, though, many consumers don’t think about that. They know Facebook and Gmail are free to use, but they often don’t stop to think about where the money to run the company comes from. The GDPR (and the media hoopla surrounding it) is going to be a wake-up call to the fact that the bulk of Facebook’s revenue comes from ads. And that the reason people buy Facebook’s ads is because all of the data Facebook has on its users -- information gleaned from posts, likes, shares, friends lists, etc. -- allows buyers to target their ads with extreme precision.
You can also expect consumers to wake up to the fact that even services they pay for -- from their ISP providers to their favorite retailers -- fully understand the value of the data they’ve been collecting. Some use it to market their services; others sell it. EIther way, consumers will soon realize that businesses see their data as a capital asset. And they’ll be able to make informed decisions as to what they’re willing to trade in exchange.
Having more choices. Today, customers often have to make a “take it or leave it” choice when it comes to handing over their data for the privilege of using a website or app. After the GDPR, businesses that want to be competitive will have to give consumers more options, possibly with varying combinations of pricing and data sharing. The winners will be the ones that give consumers the most value from the exchange.
Moreover, the GDPR mandates that your data be portable. That knocks down “exit barriers.” If a consumer wants to switch service providers, all they have to do is ask you for a copy of their data in a portable format, which they can then pass on to their new provider.
If the sky falls thanks to the GDPR, it won’t happen on May 25. It will happen months or weeks later, when consumers realize that they have a choice between businesses that think they’re entitled to do as they wish with customer data and those that see data privacy as both a human right and a competitive advantage. Which one do you want to be?