GDPR: Basic Facts, Company Preparedness and Gaining a Competitive Advantage
01/04/2018
May 25 will be one of the most significant dates this year for many companies, for that is when the EU’s General Data Protection Regulation (GDPR) kicks in. Any organization that holds or uses personal data on a EU citizen, regardless of where the organization itself is based, should have a plan of action.
Before we get into how the GDPR should be viewed as more than just another item on the compliance checklist, here are some quick facts about the new data privacy law:
- The purpose of the GDPR is to protect and to define a set of principles for the use of EU citizens’ data.
- Under the GDPR, organizations will need consent for data processing and must be transparent about what data is being processed, how and whether it is shared with other organizations.
- There will be big fines for noncompliance, up to €20 million ($24.1 million) or 4% of worldwide revenue depending on the severity of the violation.
The GDPR defines personal data broadly to cover everything from a person’s name, profession and demographic information to IP addresses and web browsing cookies to political beliefs. Another strength of the law will come from its somewhat vague wording, which is intended to allow violations to be judged on more of a case-by-case basis. For example, organizations will be required to prove a “reasonable” level of data protection.
Are Companies Prepared?
A number of reports and surveys from the past few months have shown that few companies consider themselves ready for GDPR, and some do not think they will be ready by the May deadline.
This does not mean that companies have not been taking preparation seriously, however.
According to a study conducted by Forrester Consulting of 263 data and compliance decision-makers in the U.S., U.K., Germany and France, companies are setting aside substantial budgets for GDPR and ePrivacy Regulation compliance, with 48% of surveyed firms allotting more than $1 million. Two-thirds of the survey respondents predict that these budgets will increase after May.
Source: Forrester Consulting
(The ePrivacy Regulation, which would replace the current ePrivacy Directive, requires consent to use website cookies and clear opt-outs. It is still in the approval process, and there is no implementation date yet.)
By September 2016, 72% of the surveyed organizations were already preparing for the GDPR, and 57% for the ePrivacy Regulation. Thirty-nine percent of the respondents reported that their organizations were not starting from scratch, as they already had a digital governance strategy in place. Another 35% expect to have one by May.
A majority of the survey respondents also said that their organizations are taking steps to make sure that their marketing and IT vendors will be compliant with the new regulations. These include regular audits, inclusion of GDPR requirements in third-party contracts and new processes that allow documentation of third-party data handling practices.
Beyond Compliance
Despite doubts over preparedness, many firms are viewing the GDPR (and the upcoming ePrivacy Regulation) as a potential source of competitive advantage, not just as another area of compliance, Forrester found.
Forward-looking companies are working to make data privacy a basic principle, both internally and with external services providers. Roughly half of the survey respondents said that the GDPR will lead their organizations to place a bigger emphasis on privacy by design. Thirty-six percent believed that the GDPR will also have an effect on company culture, making it more privacy oriented.
Beyond avoiding the steep fines, potential business benefits include improved brand reputation and higher customer satisfaction and loyalty. More than a third of the respondents said that they expect happier and more loyal customers to result from GDPR compliance, as well as higher brand perception and differentiation in the marketplace.
Some companies are preparing for GDPR by appointing a data privacy officer to oversee compliance. However, to create a more privacy-oriented company culture, consider Forrester’s recommendation of creating a cross-functional data privacy team. This approach would help ensure that privacy receives buy-in and visibility from all parts of the business.
Externally, treat data privacy as part of a corporate social responsibility agenda and think about ways of improving user experience when it comes to opt-in procedures. As Forrester pointed out, not only can this increase the likelihood of users consenting to data collection, a good user experience can also reveal additional information, such as what content or frequency of marketing communications customers prefer.