Businesses exist to meet consumer demand – and right now, consumers are demanding to be taken seriously. They want control over their lives, specifically over the 1s and 0s that define who they are to computers, data analysts, advertisers and so on.
GDPR (the General Data Protection Regulation) was the first step in helping them achieve this.
As the COO of OTRS, I’ve been tasked with overseeing our efforts to comply with the GDPR. For more than a year prior to its implementation, we worked tirelessly to examine and codify our internal processes. We ensured that the managed OTRS ticketing system and help desk software operated according to GDPR requirements. We took – and still take – every precaution to protect our customers’ data because we appreciate the trust that our customers have placed in us.
But, despite the effort put in by thousands of businesses like OTRS around the world, there is more work ahead. I believe that GDPR implementation was just the tip of the iceberg.
Companies in any locale that process data belonging to EU citizens are impacted.
In case it hasn’t been your focus to date, GDPR is the world’s most stringent data protection law. It was put into action by the EU in May 2018 and extends data-related rights to consumers. People in the EU now have the right to know when their personal data is collected, understand how it will be used, request its deletion and obtain a copy of it.
This means that companies have had to put processes in place to accommodate the new law (all companies, not simply EU-based companies). Those who fail to do so will be fined: they may be required to pay up to 4% of their global revenue or 20 million euros, whichever is higher.
GDPR Impacts All Companies That Collect and Process EU Citizen Data
The Information Commissioner’s Office (ICO) out of the UK is the independent body responsible for evaluating compliance and enforcing the regulation, and no business is exempt. Companies in any locale that process data belonging to EU citizens are impacted. Companies in all industries and of all sizes can be fined.
For example, the following well-known companies have been penalized thus far:
- Facebook was fined 500,000 euro for allowing third-party apps to access account data without permission.
- Heathrow Airport was fined 120,000 euro for not adequately securing personal data. Data was transferred using an USB device.
- Bupa Insurance Services Limited was fined 175,000 euro after an employee was able to steal bulk data from an internal system to sell to outside parties.
For those who are not based in the EU specifically, take note of the Equifax Ltd. case. The UK-based Equifax branch was fined 500,000 euro because its United States-based subsidiary was breached. The ICO found that the UK office did not take adequate steps to ensure that UK citizen data was being processed securely, despite the fact that they weren’t the ones actively handling the data.
The main point is that consumers are more and more aware of the fact that their data has been used as a commodity by businesses – and they are increasingly leery of this.
Data Privacy/Protection Awareness Spreads
As an increasing number of big brands are hit with fines, they are making news: GDPR has thrust consumer data handling into the limelight thereby giving today’s consumers a much broader understanding of their unique value. For instance, in 2004, “liking” a political satire post on Facebook was just for giggles: now, consumers understand that such an action segments them into an advertising category. In 2016, 79% of people could discern remarketing and felt like they were being “tracked” by ads. The general public is becoming data-wise.
The growing awareness means that GDPR was only a starting point. Consumers are demanding more protection, similar laws are now taking hold or being strengthened in other parts of the world too. Take the California Consumer Privacy Act of 2018 in the USA, for example. It is one of the strictest so far in the United States. Like GDPR, it entitles consumers to information about who has their data and how it is being used, as well as stipulates that consumers have the right to erasure (having their personal data removed). Consumers can opt-out of having their data sold, and those between the ages of 13 – 16 must expressly opt-in if their data is to be sold. In addition to California, nearly a dozen other states have passed data privacy legislation recently, so it’s likely that it will become a federal government discussion at some point in the near future.
Moving into the Southern hemisphere, Brazil has recently signed the General Data Privacy Law into law. This law is similar to GDPR in that it defines data processing, applies to Brazilian data regardless of where the data processor is located, and includes fines (2% of global revenue). But, of course, there are some differences: data of public figures, health-related data and credit-related data are given special treatment.
These are just two examples of the ever-strengthening worldwide focus on data privacy and protection.
Are You Prepared to Adapt Your Business to Expanding Data Protection Regulations?
The main point is that consumers are more and more aware of the fact that their data has been used as a commodity by businesses – and they are increasingly leery of this. In fact, as of 2016, 57% of consumers reported that they were more worried about their data being online than they had been in 2014.
Businesses that intend to be viable into the future must start paying attention to this fact. It has only been 14 years since Facebook was founded, and they are now being forced to reexamine their business and advertising models to accommodate consumer data protection demands. This could happen to any business because people are paying attention now.
It’s critical that you start to think about how consumer demands could impact your business long-term:
- How would a reduced ability to target impact your advertising and marketing efforts?
- What components of your customer service model would need to be adapted to adhere to these regulations – and even more stringent ones that are certain to develop in time?
- Are you equipped to protect customer data, as well as document data-related actions for audit purposes?
After all, fines are merely meant as a motivator, a way to encourage businesses to take the regulations seriously. The real focus of business leaders should be on consumers and the more direct business consequences that could result should data become scarcer and even more tightly controlled.