The European Union’s forthcoming General Data Protection Regulation (GDPR) is intended to ensure data protection for EU citizens by setting new rules on how companies can retain and use people’s personal data.
As regulatory rules go, why does this one seem to be generating so much interest and discussion? As companies prepare for the May 25 deadline for GDPR compliance, things are playing out like the plot of a finely drawn melodrama.
Here is why I care about the GDPR and its implicit right to be forgotten, and why I am equally concerned about what I call the “right to be remembered.”
The Specter Rises for Global Impact
The GDPR is intended to strengthen and unify data protection for all citizens of the EU, wherever they live. It also addresses the export of personal data outside the EU. That means the new regulation will have a global impact.
Companies are responding with renewed concern for their governance, risk and compliance (GRC) capabilities, and many are finding the situation challenging.
According to Forrester Research analyst Fatemeh Khatibloo, the GDPR may present difficult data governance hurdles for companies. “Thanks to the new regulation, EU citizens have the right to be forgotten,” she wrote on the Forrester website. “That means, upon a customer’s request, companies will need to wipe clean (and certify those results) all of that customer’s data across the enterprise — including all systems of record, systems of insight, and systems of engagement — raising the bar for data governance well beyond most companies’ capabilities.”
Things Get Complicated and Costly
Khatibloo goes on to note that the right to be forgotten is just one of six core GDPR mandates. Under the new regulation, she says, companies must be prepared to do the following:
- Forget a customer upon request.
- Notify authorities of a breach within 72 hours.
- Remove ambiguous consent.
- Relate personal data to one or more specific purposes.
- Positively verify that someone is of legal age.
- Expand accountability to all partners in the ecosystem.
Complying with the mandates requires investment in foundational compliance technology, processes and people. In a recent CSO article, CSO senior editor Michael Nadeau highlighted the complex and costly challenge companies face: Citing statistics from a PwC survey, he reported that “68 percent of U.S.-based companies expect to spend $1 million to $10 million to meet GDPR requirements. Another 9 percent expect to spend more than $10 million.”
Related Article: Marketers Are Missing the Point of GDPR - and the Opportunity
The GDPR Deadline Looms
Being fully prepared to comply with the new GDPR rules by the May 25 deadline won’t necessarily be easy. For one thing, since the GDPR extends responsibility from organizations that own the data right through to those that help manage the data, companies not only have to implement technical and operational solutions by the deadline, they also have to address contractual issues.
Failure to comply by the deadline will have consequences. GDPR administrative fines can go up to 20 million euros or 4 percent of annual global turnover, whichever is higher. But, as I-Scoop explains, those are maximum fines. The exact fines will depend on numerous factors, including “how severe non-compliance and potential personal data breaches are, and the measures that have been taken to be GDPR compliant.”
Related Article: How Will the GDPR Impact Third-Party Lead Generation?
There is uncertainty about how businesses will be affected once the deadline arrives. For one thing, it isn’t clear what exactly constitutes compliance. The GDPR requires that a company take steps to ensure a reasonable level of protection for personal data, but it does not define “reasonable.” Moreover, we don’t know how strict enforcement will be.
However, while we may not know the full extent of what it will take to comply with the GDPR or how likely it is that companies will be sanctioned for noncompliance, we do know that the consequences for not abiding by the new guidelines could be serious, because companies deemed to be noncompliant not only will face monetary fines but also could suffer damage to their reputations.
Since EU authorities have discretion when assessing fines for noncompliance and data breaches, the deadline puts pressure on companies right now to ensure they can at least demonstrate awareness and show that they are taking steps to comply.
Accordingly, companies are responding by leveraging their GRC data control systems and assigning responsibility for overseeing compliance to people in roles like data protection officer (DPO). In addition, companies are implementing intelligent automation platforms to address the full spectrum of business processes, which now include increased focus on breach management, customer outreach and responses to requests to be forgotten.
Related Article: The GDPR Will Fundamentally Change Marketing
It Gets Personal
The GDPR, and the bill that will transfer it into U.K. law, set new standards for consumer protection — standards for our individual personal protection from companies.
The EU is recognized as generally being very strict with companies that, in the eyes of authorities, have reputations for invading the privacy of EU citizens — and making a profit in the process. In particular, the GAFA companies (Google, Apple, Facebook and Amazon) are under a spotlight in the EU, because their business models depend on collecting and leveraging consumer data.
Here’s where the melodrama gets a sci-fi twist. The situation is like my all-time favorite “Doctor Who” episode, Blink, which features an alien race that appears in the form of statues. When you blink or look away, the aliens animate and take your personal energy to thrive on. In effect, they are stealing your time — sending you back in time, away from your life and love ones.
While I am not equating the GAFA companies with those aliens, just think about how they thrive off of our personal data. For example, Google uses the data it extracts from our behaviors and Google interactions to serve us ever more narrowly targeted ads. And Amazon and others keep our personally identifying data to more easily sell us more products. Practices such as those make us susceptible to loss through data breaches.
Conflicting Desires Make it Interesting
Companies are conflicted. They need to do the right thing for GDPR compliance or risk infringing customer privacy and then suffering damage to their brands’ reputations and facing monetary fines. Yet they want to use our data to offer new services (and achieve profitable market domination.) In a report titled “Best Practices for Privacy and GDPR in Financial Services,” Forrester sees financial institutions attempting to “strike the right balance between more stringent data privacy rules and pressing demand for more innovative and creative services that leverage customer data.”
Consumers are conflicted too. While we may at times feel personally victimized by the way in which companies treat, or mistreat, our data, we very much want them to use our data to provide us with good customer service.
In other words, we want both the right to be forgotten and what I call the right to be remembered.
We want companies to recognize us when we have a service request, so they don’t have to ask multiple times for information that is already in their systems. We want them to treat us like people, not as transactions or invoices. And we want personalized services, offers of discounts for our favorite products and suggestions for new books that are similar the ones we pulled to our Kindle in the past. What we don’t want is our data mistreated or taken for the good of the company only or breached without recourse.
So thank you, GDPR, for wanting to keep personal data safe. What happens next in the melodrama? We’ll find out sometime after May 25.