Europe’s General Data Protection Regulation (GDPR) is the talk of the business town. Should you somehow have managed to escape this, it refers to the major new piece of legislation due to come into effect less than nine months from now.
From 25th May 2018, any organisation that controls or processes personally identifiable information about European Union (EU) citizens must have stringent organisational and technical measures in place, or ‘privacy by design’, to comply with the GDPR.
Businesses in the United States who have customers in Europe – and even those that are looking to expand to the continent – should be deep into their planning and implementation phases to be ready for it becoming law next year. Yet, research by analyst firm Gartner has already shown that over 50% of companies affected by the GDPR will not be in full compliance with its requirements by the end of the looming deadline. This is despite the fact that 92% of stateside companies cited GDPR compliance as a top data protection priority in a PwC survey of US-based multinationals.
This is hardly a surprise, as whenever a new unifying law or big piece of legislation like this is proposed, organisations tend to adopt a “wait and see” approach to observe how rules are enforced, before making critical decisions on how far to go with their response. This ‘how far’ is significant with the GDPR, as fines can be as large as €20m or 4% of global annual turnover – whichever is greater.
My advice to US companies is not to be tempted to wait and see whether the GDPR rules are enforced, or enforced differently in some countries than others. With this unifying data law just around the corner, a passive approach is a poor plan of attack. Companies need to be ready from the start: here are three key reasons why.
1. Customer data must be safeguarded.
There is evidence that suggests that privacy sells. Over the past couple of years, the use of ad-blocks has increased significantly globally. A recent report by analytics company PageFair showed that ad blocker usage surged by 30% last year. There were 615m devices blocking ads worldwide by the end of 2016, with the key reason for downloading software being security.
There is also a rising awareness from the consumer side on the abuse of personally identifiable information (PII). This is of great importance to consumers – their data must be safe and the onus is on organisations to do this going forward because first and foremost, it’s the right thing to do and an ethical way to do business – no matter the headache it causes at the start.
2. GDPR rules aren’t luxuries, they’re solid best practices that every company should be following
The GDPR is the biggest shake-up to data privacy in a generation, but organisations must remember the overriding principle of these new regulations – to unify data laws across the European continent in order to shift the burden of proof from individuals to organisations. That means that the new rules act as best practice guidelines for companies to follow – in fact – companies should already have the majority of these in place and now is the best time to start.
A “wait and see” approach only makes sense if the potential risks are outweighed by the efforts required to prevent them. GDPR may require coordination and effort in the beginning, but in most cases, it’s just enforcing best practice for data handling and management so these are steps that companies should be taking as a matter of course.
3. GDPR will ultimately help US corporates win more business in Europe
Where once citizens needed to show they were the victims of data misuse or security breaches, organisations must now demonstrate they’ve taken the right, pre-emptive actions to protect personal data appropriately. If your company takes initiative from the start, this will boost your company’s customer base across Europe. Ultimately, proper GDPR compliance will lead to more business wins in the continent.
Beyond the final implications of the GDPR, which are great, the impact on reputation and brand loyalty can lead to greater financial impact in the long run. With a new piece of legislation, coverage of the first breaches and fines are likely to be major for the companies involved.
I urge companies to spend the time now securing their customer data, and not to run the risk of a headline-grabbing fine and the damage to your brand’s reputation by being a test-case. A good starting point is to work with partners that understand the complexities of the European market and regulations, who will help simplify the GDPR compliance process by enabling the security, portability and encryption efforts for your customer data.