Much has been written about the upcoming GDPR and how it’s a tsunami coming on to us. Scores of consultants, lawyers, industry associations, software and hardware vendors alike, are all licking their fingers in anticipation and enjoying the sweet hangover memories of SOX, when it once opened the gate to a torrent flow of new business. Some are doomsayers, most convey a message of leveraging the growth opportunity over regulatory pressure, all, however, open up the conversation with a less than subtle mention of steep potential fines and risks.
Yet, the market seems unmoved.
Every new market study released after an earlier research paper sends a message of lack of preparedness and even complete unawareness in the business world. Professional service providers are puzzled, Governments are called to do more, but the message is not quite permeating into the corporate agenda. Not the “way it should” anyway (some say).
Maybe it’s time to wake up and listen?
Do not get us wrong, at FullContact we believe this is a crucial piece of legislation; a much debated, multi-year law in the making. A much welcome evolution from the yester-decade directives, when the iPhone was not even on the design board, Netflix mailed DVDs and Amazon sold … books. Business folks met at trade fairs, families sat around the dinner table and Zuckerberg was a 6th grader in middle school. The wild west ensued in data privacy and the venerable Directive 95/46/EC held its ground, admirably, but no longer.
Scary fines of up 4% of total worldwide annual turnover, in addition to compensations of material or non-material damages and the potential of a pseudo-class action regime, seem to slide like water off a duck’s back.
So, what’s happening?
Maybe the very blame is on the tedious insistence around the so-called ‘privacy risk’ of those parties with a self-interest for this new regulation to take-off, and not necessarily the regulator itself. It might have backfired and put the corporation unintendedly on the defensive, en garde, subject to a prerogative of whether or not they will become the chosen poster child. In the end, a tactical risk evaluation exercise of do’s and don’ts passed on to lawyers to figure out. A ‘let’s see how all this plays out’ approach ‘while I have my bases covered’. Hedging their bets.
Macro trends are not helping either. The new US Administration only added uncertainty to the mix, now Congressional Republicans moving against recent US FCC’s broadband privacy rules, while some data privacy lobbying groups are heavy at work trying to catch the new expected winds of pro-business and anti-regulation on the Hill. To top it off, the Brexit bomb and relevant elections on the horizon in the EU, with populist eurosceptics on the rise, makes the situation all the more unpredictable. They do not stand a chance, you might think, but so many thought about the UK leaving the Union or electing an unproven controversial outsider to steer the world’s current hegemon.
The astute stance of the regulator to clearly draw the lines in the Law but let the market define how to color in between them, is neither a trigger to action. Like the lawful processing based on the legitimate interests of the controller (Art 6(1)f) which is subject to interpretation post factum and not necessarily driving to behavioral change at the outset.
With all these headwinds, no wonder there is a less than effervescent preparation for GDPR, particularly when almost all the consumer value has been made in the last decade by those handful of stalwarts which mastered the use of customer data. Any potential “loss” of customer data is seen as anathema.
So, where does FullContact stand regarding Data Privacy and GDPR?
We do not believe you can now reverse GDPR (and the many countries that are following suit in Asia with even stricter laws), we do not believe you can lobby GDPR off the map and we firmly believe individuals should provide consent for how their data is used. They own it. Privacy is at the core of our vision to “empower people and businesses to be awesome with the people who matter most”; otherwise, you just can’t be.
We understand the uneasiness of Marketing departments about potentially losing some customer data but we also believe leading brands must be nurturing those customers who consent and engage, not just keep a record of how many names they stash in their databases.
We also do not think GDPR is just about avoiding penalties and manage compliance at the lowest possible cost. We firmly believe in the transformation of companies into stewards of customer data and not the owners of data. And we believe there shall be customers who defect to brands who developed their brand values around Trust.
All our efforts are geared toward helping companies understand who their customers really are in a world of unstructured, dispersed, messy customer data, communicate and be awesome with those customers who consent.
That is what we believe is at the core of GDPR and Data Privacy beyond all the noise: The individual at the core and Consent (the latest UK Information Commissioner’s Office guidance is quite helpful). These are our battle horses and what we are steadily working on.
(This is the first in a series of blog posts around Data Privacy and GDPR).