(First published in Computing magazine on 30 June 2017)
To understand the importance and the potential impact of the General Data Protection Regulation (GDPR) to future business growth, we need to understand why it exists and what its key objectives are. Simply put, the downward trend in trust in digital services is diametrically at odds with the EU’s ambition to deliver a vibrant and world-leading digital economy. To achieve that goal, it is abundantly clear that citizens (75% of whom currently profess not to trust digital businesses with their privacy, according to the UK’s Information Commissioner’s Office) will have to feel a lot more confident about engaging digitally without fear that their personal lives are going to be compromised in any way. Reversing this downward trend in trust in digital services creates growth opportunity, plus the potential for globally competitive and differentiated services backed by strong legislation.
The large, global online retail and social media companies have a tendency not to treat the data harvested from online transactions with due respect, putting it to use in ways their users and customers don’t understand and probably wouldn’t agree to if they did. Even worse, the public’s trust in digital services has been diluted by only having limited or no control – or transparency – over their personal data. It’s this business culture that the EU is seeking to disrupt. To do this requires a new culture of digital engagement that does not contend with what is already defined and controled, but changes the basic rules of engagement. It suggests creating an alternative vision that encourages the innovation of new services or makes existing services deliverable in vastly more efficient and intelligent ways.
As a policy vehicle that reflects this shifting of the competitive digital environment, the GDPR does not stand alone: it’s actually part of a tsunami of new legislation that includes the e-Privacy (Privacy of Electronic Communications Regulation) and eIDAS (electronic Identity & Trust Services) regulations, the PCI DSS (Payment Card Industry Data Security Standard), the NIS (Network and Information Systems) directive, the EU-US Privacy Shield and others. These are all underpinned by the same principled objective: return a reasonable balance of power back to the individual in order to restore their trust in digital services and drive the digital economy.
To date businesses have focused on cybersecurity, partly because the current Data Protection Act has fostered it, but also because it’s good for companies to protect what they consider to be digital assets they own, an assumption that is rapidly becoming outdated. This attitude and approach will by necessity change. Individuals will be able to demand the cessation of the use of personally identifiable information (PII) in marketing or automated processing, or enforce the right for its erasure. They will even be able to request transferring their PII to another business which they consider to be more trustworthy and treats their data with more respect. The GDPR turns the spotlight on individual rights to privacy. It requires businesses to understand they need greater authority from the individual to use their PII, rights that will be granted only if they are considered trustworthy. This is why the GDPR is a fantastic opportunity – many businesses have built their current digital business models on foundations that are going to be undermined by the new legislative landscape. The ways in which businesses interact with their customers are being redefined and transformed. Those that embrace the changes first get to take the prime strategic market positions. Instead of worrying about risk mitigation for your business as you push the boundaries of what’s legally acceptable, you could consider building trust by providing your consumers and customers with privacy assurance. By creating a positive customer-facing business asset, rather than an inward-looking culture focused around compliance risk, you would not be fighting the GDPR but engaging with it and seizing an opportunity.
The prize? It’s simply this: when companies embrace the privacy principles that underpin GDPR, and use it as the foundation for a new style of trustworthy digital business, they will attract more customers. Those that don’t will lose out. Better still, the veracity of the data shared will be higher, leading to a better return on investment when it’s processed. Yes, the GDPR will raise costs in obtaining PII; but, instead of using your limited resources to continuously validate ever more tenuously defined customer profiles in the bowels of your IT processes, wouldn’t it be better to take a pro-active approach to obtaining PII and lighten the burden on your IT administrators? If the GDPR appears like a costly overhead, it’s because we are not balancing it with the strategic gains made by streamlining the amount of PII that is consented for use or for a legitimate purpose. Connecting PII more precisely to each business opportunity that arises is the new challenge.
Ten years from now European companies can – and should – be leading the world in how to approach trustworthy digital engagement and provide simplified and cost effective services. The market is changing – are you thinking about it correctly?
Geoff Revill – Founder of innovative trustworthy engagement platform The Krowd www.krowdthink.com
David Goodman – Consultant – Trust in Digital Life
‘Privacy – The Competitive Advantage’ is available at trustindigitallife.eu/publications/