The GDPR: An Opportunity Not a Curse for Firms
In insight / By Phil Muncaster / 17 October 2017
As the countdown to the May 2018 GDPR compliance deadline continues, the headlines are becoming increasingly frantic. There’s just seven months to go before maximum fines of 4% of global annual turnover (or £17m) could be levied, and most UK firms still haven’t got a clue, they shriek. Yet I wonder how constructive it is to trot out endless variations on the same research highlighting the lack of GDPR awareness and preparedness among organisations.
If such reports are even accurate at all, there could be a very good reason for UK firms’ continued sluggish approach to compliance: board rooms haven’t been convinced effectively enough of its value. Yet aside from the obvious benefit of avoiding potentially huge regulatory fines, there’s much in the new law which should appeal from a business perspective.
There’s an old adage about cybersecurity that it should be viewed as a business enabler rather than a block on innovation – just as brakes on sports cars were designed not to slow the vehicle per se, but to enable it to go faster, more safely. The same is true of the GDPR: if implemented correctly, it should help you to get closer to your customers, drive innovative new services and increase revenue rather than be a regulatory barrier to business.
Time for a plan
Do you have a plan for GDPR compliance yet? The latest findings are that just 45% of global organisations do and more than half (58%) are not fully aware of the consequences of non-compliance. The ICO even had to warn UK public sector bodies earlier this year that progress was simply too slow.
Boardrooms up and down the country are clearly failing to join the dots between GDPR compliance and the opportunities it offers for improving processes, bolstering the organisation against damaging breaches and other cybersecurity incidents, and improving competitive differentiation. At the heart of the GDPR are seven principles, neatly summarised here. Most are familiar from our current data protection regime, with the addition of “accountability” which requires organisations not just to comply with the regulation, but show how they comply.
The emphasis throughout is on transferring more power to the consumer and putting certain restrictions on organisations processing their data. But the aim is not to cripple businesses, it is to make them fit for the digital age.
The marketer’s friend
One of the key parts of the GDPR is around consent of the data subject. It means customers must be contacted to give explicit opt-in consent if you want to use any data collected on them. Rather than view this as a costly administrative task, think of it as an opportunity to review/refresh those prospect and customer lists to get back in touch.
Rules on what constitutes “personal” data have also changed to include a much broader range of information. Again, this could seem like a major challenge for firms. However, turn this requirement on its head and, if you can nail compliance, it will actually provide your organisation with a much bigger profile of each customer – which can only help marketing efforts.
The right to be forgotten or right to erasure is another major new stipulation of the GDPR. It grants all data subjects in the EU the right to “request the deletion or removal of personal data where there is no compelling reason for its continued processing”. Yes, this will require extra investment and process changes, but it will also provide firms with a chance to optimise their marketing budgets by being able to focus only on those customers that are actually interested in what they offer.
One of the first places to start when drawing up compliance plans is to work out what data you hold on customers, where it’s stored and where it flows. Auditing and mapping customer data in this way is an invaluable exercise as it will then allow you to work out who your customers are, what their preferences are, and then consolidate that potentially disparate information into a more manageable database.
The other side of this is that the GDPR broadly requires organisations to follow a principle of data minimisation: that is, to only store customer data that is absolutely necessary. Once again, the positive outcome of this is that by clearing out customer data you’re actually reducing the risk of a damaging breach and reducing associated overheads on things like storage.
Which brings us to the elephant in the room: data protection. The GDPR is not just about ensuring organisations use their customers’ data responsibly and accede to any requests to have it deleted or moved to another provider, it’s also about making sure they secure that data adequately. Security can be a black hole when it comes to corporate spending, although following a best practice, state-of-the-art approach as described by the NCSC and others will go a long way to satisfying the regulators.
But in order to secure these funds from the board, think about framing the issue not in compliance terms alone, but as a driver for business growth. By making your business more secure to breaches, ransomware attacks and the like, you’re not only avoiding negative publicity, industry fines and damaging service outages but making it more trustworthy for consumers.
According to McAfee, nearly three-quarters (74%) of decision makers in global organisations believe that firms which effectively comply with data protection laws will attract new customers. It’s a stat backed up by Gemalto, which found that two-thirds (64%) of consumers are unlikely to do business with a company that’s suffered a breach where their financial details were stolen. Nearly half (49%) said the same about breaches where personal info is stolen.
Put in this context, investing in cybersecurity is a win-win for firms, helping them become GDPR compliant and more resilient to damaging security breaches and outages, as well as more attractive to potential customers.
The UK has one of most advanced digital economies in the world, worth in excess of £161bn. But even it will struggle in a post-Brexit world unless we make the necessary changes to meet the GDPR’s strict requirements – set to be transposed into the UK Data Protection Bill. This isn’t just about compliance, it’s about making your business digital-ready and as competitive as it can possibly be in a new consumer-first age.