This post is about something that might not be on your radar screen (but should be): the GDPR.
The General Data Protection Regulation, known simply as the GDPR, is a new, sweeping European Union rule going into effect May 25 that is designed to “protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” I’ve been seeing references to the GDPR for months, so I figured it was time to take a closer look.
The key provisions include:
- territorial scope (includes any organization, anywhere, that processes personal data of someone in the EU or UK)
- penalties
- consent (includes plain language and simple, clear, opt-out options)
- data rights
The data rights piece is broad, and it covers a lot of things consumers want and businesses will now have to do. It includes provisions around breach notification, access to your data, the right to be forgotten, portability, and more. Altimeter included the handy visual of the data rights provisions in its new report on the implications of the GDPR for marketers (free with registration).
The GDPR is a big deal.
The regulation protects EU citizens, but it applies to any organization that does business in the European Union. Let’s just talk for a moment about five big data companies: Facebook, Amazon, Google, Apple, IBM. They will have to comply to do business in the EU. This means they will have the means to do these things. How long before consumers in other countries (i.e., the U.S.) start to demand the same protections by default?
Privacy is the new default.
I can’t take credit for the phrase. It comes from Ann Cavoukian at Ryerson University, who is quoted in the Altimeter report as saying: “Privacy is the new default — that is a game changer.” Altimeter’s take on this swirls around the benefits to organizations of improved data accuracy since consumers can now see, interact, and correct their data. (Of course, there’s nothing stopping companies from showing consumers their data now.) My take: companies will have to become not only better data stewards but also better data partners with consumers.
Data rights: a competitive edge?
The GDPR is an EU issue in the same way that California environmental regulations are a state issue (they’re not). What happens in California often sets a model that other U.S. states will follow; similarly, EU data rights aren’t staying locked in the EU. Which means that putting in place data rights protections for your customers, members, patients, and so forth will become part of doing business.
Which financial institution, for example, would you prefer to do business with: the one that lets you see, modify, and correct any issues in your credit report or the one that keeps putting up roadblocks? Which wearable tracker would you prefer: the one that lets you track key stats or the one that enables you to download, review, and even erase all the health data it’s aggregating about you?
Those first to market with stronger data protections will, I believe, enjoy a competitive edge until privacy truly becomes the new default.
Think about your organization. Which GDPR elements can you put in place?
Feature photo by Drew Graham (Unsplash).