The General Data Protection Regulation (GDPR) hits home 25th May 2018. Lawyers and consultancies are having a field day. Many of their internal counterparts are hyperventilating over the size of challenge and lack of corporate urgency to get ready.
This time, the challenge is all the greater since existing legislation has remained toothless in terms of meaningful consequences. Bluntly, few bothered to really care.
As a result, the competency gap between actual data protection best practice and the new bar being set by the GDPR is much larger than it should have been.
Till now, there were ways to dodge the bullets around respecting customer privacy and protecting their data.
Spoiling the fun will be fines up to 4% of global turnover, laced with possible downstream consumer litigation in cases of blatant incompetence and negligence. The stick has grown large enough to persuade every organisation to pause and really consider what they are going to do.
This will boil down to typical human reaction over being told to do something.
- Hope it goes away, discover it hasn’t, then panic
- Sulk about it and try to get out of it
- See the upside and get excited
In adult language this translates into three options. Ignore it. Avoid it. Embrace it.
Ignore It
Both speaker and delegate comments from the London cyber security conference I chaired in late January this year showed there are still a disturbingly high number of organisations ignoring the deadline. And by the way, even though it’s EU law, Brexit is an irrelevance to its imminent arrival since the U.K. Government has set it as the new standard.
Nonetheless, awareness of the deadline continues to be cranked up and eventually it will appear as a priority agenda item for the top team. No doubt a mix of delayed awareness and fear will then create a year 2000 type rush to comply if you have decided to be a laggard.
In reality, the groundwork should have started already. Sales, marketing and service leaders should be actively engaged by now. If you have any customers who live or visit EU territory then know this applies to you too. If you store or process their data you need to read the game plan.
Avoid It
Avoiding the GDPR’s impact will be the domain of legal responses. Or to be more polite to their profession, they will be pursuing “minimum viable compliance”.
However as ex legal eagle Chiara Rustici says in her latest book on GDPR, it’s an exquisite piece of interlocking legislation that cannot be easily hollowed out or outwitted by a one off legal body swerve.
And even if it’s true that the UK regulator is ‘team lite’ right now (edit: sorry, just learnt they are hiring an additional 200 staff), it is dangerous to assume you will be able to hide in plain sight and avoid scrutiny. Especially once privacy activist groups get into their groove and point fingers at offenders.
Whenever underprepared organisations start to fret about what might happen, I’ve noticed they tend to overcompensate in their compliance regimes.
The impact of command control compliance on organisational culture is corrosive. In fact it is the very opposite of what you need to be doing in a digital economy which puts a premium on innovation, disruption and agile responsiveness. Being dutifully compliant and thinking out of the box seldom co-exist.
So I’d suggest that avoidance is harder than it seems and is a real competitive downer.
Embrace It
Some say the purpose of business is an exchange of value between stakeholders. Profit is a consequence not a justification. The GDPR’s focus feeds perfectly into this interpretation of organisational purpose. It insists on a JEEP approach to life. Just Enough Essential Parts. Or in the GDPR’s case Just Enough Essential Data to do the job at hand.
The GDPR’s emphasis on lean data management and resisting the magpie instinct to hoard customer data for its own sake impacts the heart of how customer engagement currently works.
In this mindset, we are always on the lookout for ways to capture customer data with some sort of fly trap. Once acquired, we then assume a perpetual right to use it indiscriminately at scale.
Our own email and messaging inboxes show how widespread this remains. So called personalisation is wafer thin. This is a huge waste of corporate energy and irritation to customers and a habit we should all want to break.
The GDPR enforces time out on this approach. It tells us we need to hand back the data once we have used it. Is this a loss or a gain? That depends on what you are focussed on.
If you have a value exchange mindset, then it’s an opportunity to do your job and figure out what’s next between you and the customer. If that’s proves to be on the money then the customer is going to be open to extending the lease on the data being held on them.
‘Avoid it’ mindsets will argue that all this should be managed via a one off privacy notice. And no doubt post GDPR versions will comply with the letter of the regulation. But the spirit of it says you are in a relationship whose purpose needs regular reinvention. Familiarity breeds contempt is as true in public life as in private.
So in this sense GDPR could be used to lay down some entirely new corporate habits around ongoing engagement designed with a focus on evolving value exchange. GDPR is like the referee that ensures both sides have an opportunity to shine.
Now I ain’t foolish enough to think this is going to be front of mind for many leading up to May 2018. Nor that we will see radically new behaviours overnight. There is a lot of re-plumbing to get through before that.
But I do think brighter organisations will be looking for the upside as opposed to reducing the impact of what they see as onerous legislation.
For them it will become obvious that the GDPR enables new levels of customer centricity based on deeper trust that flows from conscious choice on both sides. And to get there will mean ditching some well ingrained habits around customer engagement.
Could be the revolution we have all been waiting for.