The run-up to the launch of the EU’s General Data Protection Regulation (GDPR) in May 2018 has been mired in concern and confusion.
Although the ePrivacy Regulation could have a broader, more deeply felt impact, the heft of the GDPR’s requirements have made it a focal point – especially so in my industry, digital advertising.
Some European businesses have called the measures “draconian” while others have expressed fear it will “rip the global digital ecosystem apart.” Others have admitted that they really have no idea what the new legislation will mean for them.
One thing that most people are aware of, however, is that non-compliance could result in severe reputational damage and fines as large as €20m, or up to four per cent of a company’s global revenue.
But concern shouldn’t stem solely from the threat of steep fines, and companies should not be preparing for change purely because of the potential risk to their image.
Privacy has grown to become a leading issue for European consumers, and that needs to be reflected in the region’s business practices. It is, after all, a fundamental human right, one that companies must not forget when they use customer data to decide and execute their business activities.
The launch of the GDPR should be viewed by companies as an opportunity to change their corporate culture for the better. It is a chance to rethink approaches to problem-solving with respect for privacy at their core, shifting the way businesses deal with data and consumers – starting now.
EU Rules Gone Global
GDPR and the related ePrivacy Regulation are not just lists of stringent rules companies have to follow; they are a call for businesses everywhere to transform the way they gather, analyse, store, and move data by putting privacy concerns front and centre.
In fact, GDPR doesn’t just affect companies in the EU; it also applies to organisations based elsewhere that collect or process the personal data of EU residents. Companies big and small will soon be responsible for meeting these regulations, which means firms across borders will be competing under the same set of rules.
GDPR provides greater control over personal information, including the right to be forgotten, and data access and portability. It will also expand the current definition of “personal data” to include a category of “tracking data” like cookies, mobile device IDs and IP addresses.
Some companies are focused on addressing these specific requirements, tweaking procedures here and there in order to ensure compliance.
But such an approach misses the point of this new legislative overhaul: GDPR represents Europe’s progressive effort to inspire a culture of respect for consumers, personal data and privacy across the globe. Moreover, it imposes the creation of a detailed compliance programme for companies processing personal data, instilling the key principle of privacy by design into the company’s processes.
Rather than tackling the legislation like a side project, companies should see these changes as an opportunity to revamp and improve their corporate culture, fostering a business philosophy that puts consumers – and their privacy – first.
Privacy by Design
To effectively comply with this revolutionary legislation, companies will need to do more than hire an individual or team to handle it. They’ll need to invite their data privacy experts to work closely with all levels of the business, starting from product development.
This idea is commonly referred to as privacy by design. It stipulates that companies manage data privacy issues and concerns throughout the entire lifecycle of the product. Data privacy isn’t just something to be added to a finished product, it needs to become a company-wide norm.
Organisations can enable a privacy-by-design approach by breaking down silos between experts and the other business areas. By bringing concerns into key meetings with everyone from the chief technology officer to the heads of sales and marketing, companies can foster the culture of privacy necessary for compliance.
Consumers Go First
GDPR presents companies with an opportunity to refocus on what matters most: the customer. Rather than addressing privacy for the sake of compliance alone, firms can make it a key part of their customer-centric business strategy in order to stay ahead of the competition.
In part, that means bringing consumers into the loop on how companies use de-identified or hashed data which does not identify individuals in the same way as a name or address does. For example, in the digital advertising ecosystem, no one party will be wholly accountable for this. Stronger working relationships must be built between brands, agencies and technology companies to ensure every party is aligned, compliant, and transparent, both with each other, and with the consumers whose data they use.
Many businesses have already taken the regulatory changes as a chance to work together to ensure the internet benefits all parties.
Rather than being concerned, afraid, or confused about the new legislation, companies can address consumers’ concerns and in doing so, gain an edge over the competition by thinking differently about privacy.
In pushing data privacy forward in Europe and beyond, GDPR is encouraging companies to build a corporate culture that revolves around consumers’ concerns. If all businesses do this with consumers at the forefront of their minds, they will be better equipped to build relationships, craft highly relevant and enjoyable experiences, and ensure the internet is suitable for generations to come.