GDPR and the Importance of Being Earnest
Brand reputations hinge on trust and transparency, and increasingly on a businesses’ data privacy credentials. On the one-year anniversary of GDPR, we check in on how the regulation has tipped the value of data on the global stage.
It’s hard to argue with the notion that there has been a groundbreaking shift in the way businesses and consumers think about data, privacy and brand trust. The culmination of high-profile data privacy scandals and new wide-sweeping data legislation has forced not only consumers to get to grips with their own digital footprints but has also mobilized organizations all around the world to be upfront with consumers, and allow them more control over which data they share.
However, the gravitas surrounding this turning point in the data privacy landscape is clearly embodied in the GDPR, the most draconian privacy shield currently in existence, which was enacted on May 25, 2018. Having a global reach, the GDPR has shifted the balance of power towards the consumer, leading to new perspectives on consumers’ right to share or withhold data online.
The consequences of this empowerment are significant and far-reaching, threatening to damage brands and reputations, erode consumer confidence and financially suckerpunch a company. What the EU has engendered with the GDPR is a global benchmark for data protection standards, one that reverberates far beyond the boundaries of Europe. It’s normative power has spread like wildfire across the globe, as more countries and states have jumped on the bandwagon and moved to enact their own GDPR-like standards.
California, the tech matrix of the U.S., has often been ahead of the rest of the nation on social issues and seems that it’ll remain so with data privacy, as last year it implemented its own regulation modeled after the GDPR. The California Consumer Privacy Act of 2018 (CCPA) is the first such data privacy law passed in the U.S., despite years of legislative efforts in Washington DC, and while it didn't completely extend GDPR protections, it did give the State’s 40 million inhabitants the ability to view the data that firms hold on them and, critically, request that it be deleted and not sold to third parties. Tech giants absolutely loathe it! Maybe that’s because it threatens to undermine their fundamental business model of gathering, packaging, and selling user data while doing as much as possible to keep people as uninformed as possible about what information they actually have on them. Vermont followed suit by enacting a law to improve accountability in data sharing between organizations.
Elsewhere, numerous countries in Africa and APAC are also seeing data protection laws on the rise, particularly those that want to do business with Europe. India is currently debating data protection legislation reflecting aspects of GDPR, while South Korea is updating its regulations. Meanwhile, new laws coming into effect in Brazil have also been influenced by GDPR. It’s first ever data protection law, the LGPD, will enter into force in August 2020 and like GDPR it is an omnibus law, covering many principles of data protection. Although it has to be said that many of the proposed drafts and new regulations are less stringent than GDPR, still it is a step in the right direction.
But the long-tailed implications of GDPR are just coming into sharper focus as the regulation sinks in. Initially, U.S. firms had a sort of deer in the headlights reaction when it came to GDPR but now after Google got slapped with a €50 million fine by French data protection authority National Commission on Informatics and Liberty (CNIL), these firms have been compelled to confront and re-evaluate what’s at stake concerning commercial data collection and processing. What we’re seeing now is organizations hunkering and doubling down on information security, compliance and legal protections.
Following the Yellow Brick Road
The adjustment to GDPR might well be tough for U.S. organizations to get to grips with, and many may argue that the only reason that the regulation has any bite is the fines. But even though we haven’t seen the colossal fines threatened by the GDPR – 4 percent of annual global revenue or €20 million, whichever is higher – laws are only as strong as their enforcement, and GDPR regulators are circling. There’s no denying that GDPR has ushered in cascading privacy demands that require a renewed focus on data privacy for all organizations that offer goods and services to EU citizens, which has meant U.S. firms combing through their hoards of data to comply with GDPR… a potential practice run for what’s coming. All eyes are on the West Coast!
Organizations though need to think past the threat of fines and look at the potential reputational damage to their brands, which in the long run could end up hurting more than a one-off large fine. Let’s view it from a consumer lense perspective because at these times of changing data legislation, never before has it been so important to understand how consumers think of data and data privacy. Call it a sign of the times but ethical questions around data privacy and stewardship have firmly come to the fore as global consumers continue to understand the rights and mechanisms that regulations like the GDPR have made available to strengthen their ability to manage and protect their own data.
In a recent survey we produced on Reputational Trust, the findings demonstrated a mature and empowered global consumer mindset towards data privacy and stewardship. Across the board, 65 percent of those we surveyed viewed data privacy as the most important attribute when considering a company’s trustworthiness. With 75 percent saying they would accept a lower quality product for increased data protection. They would also pay more for a product or service if data privacy was guaranteed. This illustrates that data security is more than just a compliance issue, but one of trust and reputation.
Trust, afterall, is at the heart of brand-consumer relationships and with consumers now driving the success and failure of companies, products and brands, oftentimes with targeted criticisms delivered by a few keystrokes, means that a brand’s reputation isn’t solely in the hands of the company behind it… at least not nearly as much as it used to be. And in an environment where criticism of industry use of personal data is growing and privacy concerns are rampant across all markets, it is paramount that organizations manage customer expectations and perceptions. Trust, therefore, is now not only a major commodity for organization, but also a central component in their ability to compete and needs to be a fundamental part of any brand proposition.
GDPR is a Journey, Not a Destination
For many businesses, the year following GDPR has been focused on building organizational muscle memory to understand how to redesign and rebuild processes so that they can be GDPR compliant. Yet the regulation still presents challenges for some as many are not truly in compliance and then there’s the problems due to the growing volume of data, which makes it increasingly challenging for businesses to get a complete view of where all data resides and who has access to it.
Coupled with these empowered consumers who are rethinking the true worth of their personal information and rightfully questioning the validity of a value exchange between brands and themselves; businesses are in an unique and unenviable position where there is amplified pressure to demonstrate compliance. Furthermore with reputations and revenues on the line if they haven’t committed to a requisite long-term compliance strategy, as Nat King Cole once chimed ‘there may be trouble ahead’. You can fully understand why GDPR can be akin to a swear word across boardroom tables.
But despite challenges in achieving compliance, GDPR is working and there are rewards to be reaped. The reality is that data is a valuable commodity… if utilized correctly. For those businesses that can demonstrate full transparency of consumers’ data and ensure its security, there comes huge competitive advantage. Afterall, the more personal data an organization holds, the more opportunity it has to analyze that data for the purpose of understanding its target audience, to better target and sell to consumers. This is why it makes good business sense to integrate and align reputational resilience, in the form of digital trust, into operational strategy. By doing so organizations can become trusted providers in terms of safety, security, reliability, privacy, and data ethics.
Whatever your opinion is of GDPR, one thing you can’t argue with is the fact that it has ushered in a new era of data privacy and fundamentally changed the way businesses, well do business, and for the better. GDPR isn’t about penalizing organizations, it’s about protecting the consumer. It is about having the technology and expertise to make the critical principles of trust and transparency the bedrock on which you build your organization.
Learn more about GDPR with SAI Global's Digital Content Hub.