On its surface, Europe’s General Data Protection Regulation (GDPR) has touched off a technical fire drill for American companies operating in Europe. These new data privacy rules, set to take effect in May, have companies scrambling to inventory their data and develop systems and policies that comply.
But as challenging as GDPR may be for those working on compliance, the regulations should force a much-deeper appraisal of what values companies apply to their interactions with customers.
As business moves toward data-driven products and services, GDPR should serve as a forcing mechanism for brands to deepen relationships with their customers around consent. For those willing to think beyond pure compliance, GDPR presents a chance to build consumer trust at a time when trust is scarce.
Called by the European Union (EU) “the most important change in data privacy regulation in 20 years,” GDPR is meant to ensure consumer consent about how companies collect and use their information. It will restrict what types of personal data companies can collect, store and use in the EU and will regulate the exportation of personal data outside the EU.
The rules build the concept of a “right to be forgotten” into European law, so EU citizens will be able to ask companies to permanently remove certain online data about them. And in the event of a data breach, companies will have just 72 hours to report it to EU regulators. Those that do not comply could face fines of up to 4 percent of their annual revenue or 20 million Euros, whichever is greater.
The scramble by companies everywhere to comply has largely been about avoiding the risk of being fined. Rather, it should raise questions about corporate values. Customer data is both a source of competitive advantage to the company and the subject of rapidly-increasing suspicion to consumers.
In the United States, for example, among the very top concerns of internet users is how companies and governments use their personal data, according to research done by Statista in May, 2017. Other research shows that 68 percent of consumers do not trust brands with their personal information. It also shows that trust is a key factor in how consumers pick their preferred brands.
Data is both fundamental to digital business models and the most precious thing a customer can share. In some ways it is more valuable than money. As consumer concern about privacy grows, how companies treat data will define the brand experience.
The way companies react to GDPR can be seen as a bellwether. At many companies, legal teams are pouring over the language looking for loopholes; At others, they are making changes to their privacy policies in the hope that it will be enough to comply; Still others are looking at the whole thing as a purely technical exercise, an opportunity to clean up their data.
But for companies that view GDPR as a chance to re-think the value exchange with their customers — and to make that exchange both explicit and fair — the moment can be truly transformative.
Such big tech companies as Facebook, Google, Amazon and Microsoft have all publicly committed to meeting the privacy standard, a huge undertaking for companies of their scale with reams of customer-related data. But it remains unclear if they will follow the letter of the regulation or go further and fully embrace its spirit. Their example will be closely watched by smaller tech companies.
GDPR will re-set expectations for consumers, both in Europe and beyond. It will explicitly tip the balance of power their way, giving them real control over what data they share and how it is used. Those companies that welcome the change, that treat their customers as partners in how they use their data, that truly put their customers first, will build new levels of loyalty and unlock even more opportunities to put data to work.