Before the web became ubiquitous, the relationship between you and your insurance company (for example) was one-to-one, so individuals could trust the organisation with their personal data, which was not easily copied or shared.
In an age of big data and too-frequently hacked data, this level of implicit trust is clearly no longer tenable. The average person has a relationship with about 200 online entities, and leaves a trail of digital footsteps wherever they go as they populate social media and other internet-connected locations with personal data. This is further compounded when we consider the Internet of Things and connected devices that track our locations, health and habits.
This means that key pieces of personally identifiable information sit on a variety of internet-connected storage devices globally. Individuals have little or – in most cases – no control over, or visibility of, what happens to that data once an organisation is in possession of it.
This lack of control is all set to change with GDPR, bringing new compliance challenges, new opportunities and, most importantly, a reset of the relationship between corporate and customer.
Disruption and risk
In commercial terms, the privacy genie is now out of the bottle and responding to it will become a competitive differentiator for businesses such that the GDPR, whilst currently seen as the gold standard, will likely soon be viewed as the low watermark. This disruption of traditional customer relationships will fundamentally alter the market in almost every sector.
In financial terms, the overall impact of GDPR will mean that the monetisation of personal data by organisations will now attract a significant cost and risk, impacting the viability of many existing and emerging business models, with some industry sectors being affected more than others. From an accounting perspective, an interesting question is whether companies should consider generating a line item on their P&L to reflect the costs of storing and processing personal data together with a note to reflect the contingent risk.
So, this regulatory change is fundamental and highlights a need to re-evaluate both how the organisation does business and who it does business with, in order to ensure that it remains within its risk profile. It also shifts power back to the individuals, increasing transparency in how companies use consumer or employee data.
Power to the people
Corporate attitudes to customer service have been transformed in recent years by customer demand and preference, as demonstrated by a willingness by customers to vote with their feet if the required level of service has not been forthcoming. By the same token, we can expect to see this mirrored in the field of personal data and privacy: organisations that focus on the letter of the new regulation – effectively implementing compliance by design – will lose out. Working to develop a culture of privacy by design on the other hand will attract customers, as they increasingly understand how their data is being used.
So over time, the public will start to understand that their data belongs to them, and willinterrogate organisations holding and using that data. With consumers becoming moreactivist, their use of social media can massively magnify the effect of events such as databreaches. This is not a trivial effect: the balance of power between organisations and their customers is shifting.
Many organisations have used insurance as a way of protecting the bottom line against cyber risks. However, it will not be possible to adopt this approach with privacy risk. It is also possible that, as the legislation matures, directors may become personally liable for breaches of personal data. The point here is that the protection of personal data is no longer a tick-box item: rather, GDPR marks a new beginning in the customer relationship, as companies who do not take the spirit of the regulation seriously are more likely to suffer as a consequence.
The big opportunity
Privacy by design is about substance whereas compliance by design is about form. Let’s take the example of access requests. A compliance by design mentality will focus on ensuring that businesses can respond to an access request within the designated 30 days. Privacy by design on the other hand will consider how that information can be best presented to offer the greatest transparency and thereby reduce the risk of churn and the consequential portability or erasure requests.
Privacy by design, as opposed to compliance by design, will build trusted relationships with customers who will then reciprocate with unambiguous consent to hold their valuable personal data and this in turn should result in better quality data.
The competitive advantage here is clear - privacy by design will enhance your brand and the customer experience. Compliance by design will simply create an overhead and impediment to business.