If the thought of reading about an EU regulation causes you to fall asleep, don’t blink.
In one year’s time, the General Data Protection Regulation (GDPR) will mean consumers will have the right (among other things) to demand a business extract all data held on them, hand it over to a competitor, and afterwards delete the original records.
At the click of a button a major source of competitive advantage could be handed to a rival.
Across consumer-facing businesses, this is an uncomfortable scenario. Think of a car insurance business, to take a sector at random, and its diligently collected history of claims, claims notes, questionnaire answers, methods of payment, and car telematics data. This information, used to better understand customers and price products, would evaporate.
There’s more: failure to comply will result in fines of up to 4 per cent of annual global revenue or €20m, whichever is greater. Based on previous performance on data security, our research suggests that the FTSE100 could face fines of £5bn a year, once the regulation takes effect.
In addition to rivals poaching data, we could see a company – such as one of the global technology giants – create “data passports” for consumers.
The data passport would collect your personal data from multiple sources – from retailers to banks to car insurers – store the information on their own databases, and request the original sources be deleted.
In this scenario, your information can be ported to any third party only when needed, such as to make a purchase or get an insurance quote. With sufficient scale, the data passport company could aggregate groups of users with similar spending habits (such as heavy mobile data users or frequent hotel visitors) to get bulk deals on their behalf.
For those of us who take our privacy seriously – and our Britain’s Digital DNA research shows that 57 per cent of Brits are worried about sharing their personal information online – such a service will be very welcome, and could transform how we shop, what we buy, and from which companies.
In the face of this potential disruption, what should you do if you are on a management team in an affected consumer business?
First, build a defensive “moat” around your most valuable consumer data. Under GDPR, explicit customer consent for data storage needs to be obtained and refreshed. Customer journeys to erase or port their data need to be compliant, but no more, and when consumers ask that their data be erased, preserve as much of the anonymised content as possible for future decision making.
Second, think about how to use the GDPR to attack rivals and even businesses outside your own industry. There is nothing to stop, say, a financial services company getting consumer permission to request their data from a technology company, or vice versa.
But doing this will place a significantly greater burden on the data capabilities of a typical business, making experienced chief data officers and data-engineering teams, already in short supply, in even higher demand.
Finally, our view is that a few innovative businesses will apply the data passport business model outlined above. Their success will be based on an outstanding customer proposition, a high level of trust, smart ways of monetising data to the benefit of the customer, and outstanding capabilities in integrating, processing and managing data.
As the countdown to the full implementation of GDPR passes the one year mark, there is plenty for executives to be thinking about, and compliance is just the start.
Offensive and defensive data strategies have the potential to disrupt and transform how consumers share their data with businesses, and what those businesses need to do to maintain and deepen their customer insights.
Chris McMillan is a partner in Oliver Wyman’s data and technology practice.