You’re probably sick of hearing about the GDPR by now. Between all the advisory pieces being published online and the influx of emails about how businesses are ‘committed to your privacy,’ you’ve spent months being bombarded by news of the EU’s privacy framework. Hopefully, you’ve also made an effort to bring your business into compliance with it.
On the surface, the purpose of the GDPR (and of related legislation, such as the data privacy law that came into effect in California in July) is to give consumers more control over their personal information. While they certainly accomplish that, they also achieve something else. Something much more valuable to your organization.
They provide a framework for better cybersecurity.
Think about it. One of the core tenets of the GDPR is the right to be forgotten. At any given time, an EU citizen may request that a business delete all data related to their personal information – the business has to comply. Doing so is impossible without good data hygiene and a strong security posture.
In that way, privacy regulations provide a tangible reason for an organization to revisit its data management practices. Compliance provides clear ROI to management as to why a business should expend time, effort, and money on updated policies and infrastructure. Moreover, it offers a framework businesses can turn to for guidance if they’re uncertain how they should proceed.
Cybersecurity aside, there’s another reason compliance with privacy regulations holds such value for businesses – the consumer.
Truth is, trust in corporations has reached an all-time low. Amidst constant data breaches, privacy scandals, corporate lobbying, and class-action lawsuits, consumers no longer believe brands have their best interests in mind. I suspect they haven’t held that belief for quite some time.
It isn’t just businesses, either. Organizations across the board in both the public and private sector are experiencing what Richard Edelman, president and CEO of Edelman refers to as an unprecedented crisis of trust. A public relations and marketing consultancy, Edelman maintains the Edelman Trust Barometer to measure the level of confidence consumers hold in industries such as government, media, and the private sector.
Privacy regulations are at least in theory designed with the best interests of consumers at heart. It follows, therefore, that any brand which openly complies with them also cares about protecting the privacy of its customers. In an era where people are often forced to give up so much information that they feel like commodities themselves, a business that’s transparent about how it uses their data – and one which allows them ownership over that data – stands out from the crowd.
Consider, for example, a recent study from Accenture, which found that 87% of consumers believe it’s important that businesses safeguard their personal data. In that same study, 58% of respondents indicated that they’d switch half of their spending or more to a brand they feel excels at offering them a personalized experience without abusing their privacy. In other words, people feel businesses should hold their best interests at heart, even if they don’t believe that they do.
Mind you, I’m cognizant of the fact that there’s no shortage of arguments against privacy regulations, as well. Implemented poorly, they can do more harm than good. They can burden organizations with unnecessary costs, stymie innovation, and prevent the development of new technologies, all while ultimately failing to achieve what they set out to do in the first place.
Marketing automation is a factor, as well. Much of the data sharing and analysis that occurs today is done so for the sake of serving better ads and delivering a more personalized user experience. Regulation will significantly cut down on this practice – organizations will be unable to gather data without explicit consent, and even then, they will have to be overt about how they will use the data they have gathered.
That means fewer targeted advertisements. Fewer practices and services that rely on third-party consent. Fewer instances where user data is bought and sold.
This will admittedly make life difficult for some firms – perhaps it might even be crippling. From this perspective, it seems difficult to justify the positives of stricter privacy laws. I’d like you all to ask yourselves something, though.
When’s the last time you responded positively to a cold marketing email? When’s the last time you saw a targeted popup ad or banner ad and thought ‘this is something that interests me?’ When’s the last time your organization saw a tangible benefit from third-party data aside from a few extra ad clicks?
I imagine your answers here should speak for themselves.
The truth is that while some industries might suffer from stricter privacy regulation, as a whole, frameworks like the GDPR are a good thing for both businesses and consumers. They promote better data hygiene, better cybersecurity, and greater trust. A bit of lost ad revenue seems a comparatively small price to pay.
Right. I think we’ve spent enough time driving home the importance of privacy law. Let’s leave things off with a bit of rapid-fire advice on how you can get your business to a place of compliance.
Consider hiring a Chief Compliance Officer with expertise in dealing with the demands of GDPR (or whatever privacy framework you’re looking to comply with).
Perform a thorough risk assessment of your organization. Where is critical data stored, and how is it protected? Who has access to a given file at any given time? Would your organization know if a server were compromised, or would it be something you’d discover years down the line?
Carry out a complete inventory of all data within your organization. Your goal here is to ensure that all data of a particular type is stored in the same location – i.e. all customer data should be stored on the same server, ideally. This is probably the most difficult step, and will likely require the most legwork. As part of this process, you may want to consider incorporating a file management system that allows IT visibility into and control over files as they’re shared.
Incorporate multi-factor authentication and strict access control for all sensitive data. Some possible ideas could include behavioral, device-based, or location-based authentication.
Deploy DLP technology to help further prevent unauthorized data access and data loss.
Establish consent forms that can be filled out by consumers who are willing to share their information with your organization. A compliance officer and an attorney should both be involved in this process.