By David Roe, CMS Wire
In December 2016, the European Parliament and Council finally agreed on the terms of the EU General Data Protection Regulation (GDPR), first proposed in 2012 and due to go into effect on May 25, 2018. The GDPR offers a new framework for data protection with increased obligations for organizations. The regulation will be applicable to any organization that offers goods or services across the European Union (EU).
While the EU already has regulations that it can use to curtail the actions of companies that are deemed to break data privacy rules, these newest laws have real teeth. Companies that breach the regulations will be liable for fines of up to €20 million or four percent of global revenue, whichever is higher. But that’s not all. GDPR also obliges companies to:
Notify their national supervisory authority within 72 hours of data breaches that put individuals at risk
Build data protection safeguards into products and applications
Apply the same rules across the board when they offer goods or services within the EU
Comply with a single European law for data protection replacing the current inconsistent patchwork of national laws
For many companies both inside and outside the EU — keep in mind that the regulation applies to U.S. companies too — the introduction is causing a great deal of anxiety with many companies spending millions of dollars to become compliant. However, the GDPR is not about penalizing companies, it’s about protecting consumers’ personal data and there are a number of positives that will help many companies. Here are eight of them.
Sam Pfeifle is content director at the International Association of Privacy Professionals (IAPP). The IAPP is international organization dedicated to protecting privacy and helps train professionals on the use and implications of privacy regulations and best practices including GDPR.
He said that the GDPR is an opportunity to revisit all enterprise data holdings, examine the consent attached to them, and either re-establish or establish for the first time, the relationship with organizations’ customers. When done right, a GDPR compliance program will help organizations better understand the value of their data, help build trusted bonds with customers, and give them better insight into what communications and messaging their customers value. “The last two years have seen marketers focus on brand purpose, with brands looking to associate themselves with various causes, from the me too movement to, right now, reduction of access to guns by various retailers,” he said.
GDPR is likely to be an impetus toward companies taking on privacy as their brand purpose and that is likely to resonate with the customers in a good way, as they get more savvy about how their information can be used once they have provided it to companies.
Better Targeted More Relevant Advertising
Philadelphia based start-up Clarip specializes in making the consumer-enterprise relationship more transparent by offering insights into the data collection process. Andy Sambandam is the new CEO and founder. Customers today, he said, expect advertising to be relevant to their lives and delivered according to their preferences. Giving customers the choice when and how they will accept advertising is only going to improve customer satisfaction. Because of the cost of acquiring a customer, businesses that lose existing customers through their marketing efforts will be at competitive disadvantage.
A strong privacy program is also a critical component in fighting data breaches, he added. A data breach can bring a wave of negative publicity, lost customers and a significant drop in share prices for publicly traded companies. “If a data breach does happen, those companies that have taken data privacy [seriously] from the beginning will be in a better position to retain customers and recover from the negative consequences,” he said.
Reg Harnish, CEO of GreyCastle Security, a cybersecurity services provider based in New York, said that if a company can show that it cares about the privacy of its customers, employees or anyone it does business with, then it will only benefit that organization. The new regulation requires organizations to really think about how their data flows. In addition to providing what personal data exists within their organization, they will also have to show why the information is being held, how it is collected, when it will be deleted or anonymized, as well as, who gets access to it.
“Simply having the answers to all these questions will no doubt improve your business because you’ll have a better understanding of your assets, where the vital information is located, and you’ll have the security measures in place to protect that information,” he said.
One of the biggest obstacles to achieving GDPR compliance is obtaining what the legislation refers to as informed consent, according to Zachary Paruch product manager and legal analyst at UK-based Termly.io. “Unfortunately, the soon-to-be-enacted regulation does not explicitly define what is meant by this,” he said. “However, it can and should be assumed that the owners of online enterprises will be required to ensure that adequate measures have been taken to not only inform users of their data collection practices, but also get their express consent before collection any personally identifiable information (PII).”
This will allow online enterprises to use targeted ads and emails for their marketing campaigns to greater effect. They won’t be obliged to create “catch all” marketing content that has the chance to convert users at all stages of the conversion funnel.
Better Understanding of Oranizational Data
John Snyder, CEO of Grapeshot says that GDPR will force a moment of self-reflection and present organizations with the opportunity to become ‘the best versions of themselves. Companies will have to relearn how to create top-of-funnel awareness and engagement without using non-opted-in audience data as a crutch.
Most brands have more first-party customer data than they know what to do with. That real data is far more valuable than the third-party cookie IDs that they had, not just because it can’t be taken away en masse like third-party data. “Brands who invest in understanding their first-party data will be even better equipped to reach more relevant audiences in the soon-to-be post-GDPR world than they were pre-GDPR,” he said.
Building Brand Trust
Scott Amyx is an author that has worked with the European Commission, PwC and IBM in the EU on GDPR. He said that the most marketable aspect of GDPR is the brand trust. “Though from an auditing perspective, it’s difficult for consumers to evaluate the rigor of a company’s GDPR implementation, the fact that they are dealing with a ‘compliant’ company gives them more assurance that their personal data is adhering to the privacy mandate,” he said.
He points out that there is still discussion on what the scope of who falls under the GDPR. A foreign company selling into EU is subject to GDPR. However, it is still not clear, for example, whether, in the case of a foreign company that sells outside of and where that product is then brought into the EU if that product is subject to GDPR? There are numerous other similar examples, according to Amyx.
Increased Legal Protection
Finally, Luc Burgelman, CEO of customer data startup NGDATA points out that GDPR creates a legal framework for them to share their data, offering them a new level of protection and transparency that did not exist previously. Consumers know exactly how and why their data will be used, since they have the right to give or reject consent before that information can be used. As a result, customers may be more likely or open to sharing their information since they have more autonomy over its use and know it will be fully protected,” he said.
Ultimately, since the cost of ignoring GDPR is too high — between fines, and the loss of customers who do not feel their data privacy is respected – enterprises are forced to reevaluate the way they handle consumer data, and to install new processes enabling the consumers’ right to “own” their data.