Organisations have been blind to GDPR “business opportunity”
Obsession with headline-grabbing fines has eclipsed the benefits of new regulation
When the French data authority fined Google 50 million, the largest data protection fine to-date, this understandably reignited a sense of 'buzz' around GDPR. But it's exactly this sort of interest that has led many industry executives astray from how GDPR can work for them, according to Cloudera's MD for strategy and growth Abhas Ricky
To date, there've been approximately 90 GDPR-related fines across Europe, from around 60,000 notifications received by the European Commission, explained Ricky, having dug into the numbers before an address at this year's DataWorks Summit. And this focus on fines in both the media and, consequently, the C-suite, has clouded organisations' view as to how they accrue meaningful benefits from GDPR.
"The key focus started with breach notifications because that was the big marquee statement the media went after," Ricky told journalists and analysts at a press briefing. "The people on the C-suite, and people driving the C-suite agenda, went after [GDPR fines] because it was all about 4% fines on turnover."
There was a huge dip in excitement around GDPR after the new regulations came into force on 25 May, but "then it started to pick up when one of the hospitals in Portugal was fined half a million dollars", he added. This really grabbed people's attention. And "the Google thing" has brought it back.
But nearly one year from the start of GDPR enforcement across Europe, what has the obsession with fines in both industry and the press been masking?
"Really, on the technological front, the two [areas] we have seen come most to the forefront is first around privacy by design, because that's a long-term project," he outlines. "Another one is data portability, and it has the maximum impact on your brand."
"What privacy-by-design says is that you have to put in data privacy as one of the key fundamental structures for designing your information management system, and not just as an afterthought.
"If you think about all the large banks, telecoms firms, utility companies, energy providers, they've been doing these info-management system structures for decades. And it is by far the hardest to implement. Therefore there has been a lot of planning over the last year."
On the data portability side, the challenge has been in firms complying with customers' requests to package their data and shift it from one provider, retailer, or airline to another. He used an analogy whereby a Tesco customer wants to move their data to M&S. The trouble with this, from Tesco's point of view, is that it has data across various systems, and would have difficulty bringing it all together centrally.
For retailers in general, alongside all manner of consumer-facing businesses, trust in brand identity is essential, and this is now tied more than ever to how they can handle their customers' information. Various pieces of research have shown as much, Ricky argued, and businesses should treat this new landscape as a "business opportunity".
Recent research suggests that regulatory compliance has given certain businesses a range of inadvertent benefits. These include more appeal to investors, and companies gaining a competitive advantage against their rivals.
"I have all my data stored on Google; my photographs, my phone number, my videos, same on Apple, same on everyone else," he explains. "But if some third party comes to us, and asks for my name and phone number I will hesitate. And so will a lot of you. The point is there is this huge disparity. It's not that customers are unwilling to share information, customers are very willing to share information, provided you can prove to them, there's a lot of credibility you can have on data privacy."
The "cost of doing nothing" on data protection is far too high, and the consequences of an organisation even being perceived to not be capable of holding personal data in a safe and secure manner are dire. This is especially true if you couple it with the fact that customers, when asked 'What influences you to shop at a particular retailer?', listed brand trust as number two. This was higher than good location, or the overall business concept and retailing experience.
The Swiss insurance firm Zurich has undergone a similar thought process, with cloud architect Abhishek Sakhuja telling IT Pro that having GDPR in place "makes companies not use data in a bad way".
This isn't to say the rules will be followed and companies won't take advantage of customer data just because GDPR is in place, he continued. But "brand image is one of the most important things for us" and gives the company added motivation to protect customers' information.