Sometimes change is forced upon us…and its an opportunity

Current digital business practice is about to be hit sideways; in many cases it will force a fundamental rethink of an organisation’s business practices. I refer to the incoming GDPR (General Data Protection Regulation), which will replace the Data Protection Act later this year in spring.

In this blog Geoff Revill, Innovator and Founder of Krowdthink Ltd, will outline a few areas of change that will impact many businesses. For those that want to know more, this event, includes the European Union and USA’s top level speakers who can help inform you further.

The pursuit of Big Data opportunities has led to a ‘lake’ of data sprawled across corporations. A recent computing report highlighted that only 13% of businesses feel they have derived real commercial value from this lake, leaving 87% of unused data value. Companies must also update their IT infrastructure every 6-12 months in order to sustain data growth, which diverts attention away from real commercialisation opportunities. 90% of this data is unstructured with a critical lack of skilled resources to analyse it and use it. The real issue though is that a lot of this data could be personal data, buried deep in the silt of the data lake. The GDPR will empower consumers to potentially uncover that data, which could become a business liability.

There is more clarity in the GDPR that meta-data and potentially even derived analytical data is still personal data. Identifiers, like IP addresses, become personal data and new classes of data are classified as sensitive. The inappropriate use, or lack of protection, of this data is now potentially subject to the new fine system; with fines as high as €20M or 4% of your global turnover, whichever is bigger.

Companies will now have to spend more to better secure this big data lake and to be sure they understand exactly what personal data it holds; data which is being poorly monetised. Before the GDPR came in these risks might have been acceptable to sit on, in case new analytics allowed new monetisation opportunities, now companies will have to re-assess their commercial risk frameworks.

The catchall legal phrase ‘for legitimate business use’ for collecting data will be challenged under the GDPR. Consent requirements, especially for personal profiling, are significantly strengthened for the consumer, forcing companies to revisit their ongoing data collection practices.

Also, because the GDPR is a regulation, not an act, every country in Europe will move towards a more consistent enforcement mechanism, one that reflects a more coherent cross EU interpretation.

The GDPR implements a one-stop shop mechanism, meaning that a company’s primary place of business will also be the country enforcing GDPR claims from consumers within any EU member state. As a result expect to have to support requests from many non-English first language claimants as you grow your business internationally.

Consumers will also have the right to demand deletion of ‘their’ data, which, unless you have maintained strict provenance tracking in your systems, you will find costly and difficult to comply with. Consumers can even demand a copy of their data set to take elsewhere if they so wish, meaning that unless you have demonstrated that your business is a trustworthy custodian then customers will be more readily able to walk away from your business, taking ‘their’ data with them and straight into your competitors hands. If you were thinking that you could hand off the issue to a 3rd party, think again because consumers have the right to know who you pass their data on to and for what purpose. They can also demand their data deletion and portability rights all the way through the food chain of data processors. Failure to sustain records of such processing agreements can also incur substantial fines.

One way to look at this deluge of new challenges is as a massive legislative cost burden. However there is another way. Look at the enforced change in the regulation of the market as an opportunity. Take your cue from Apple and how they have differentiated themselves from Google/Android as a trustworthy custodian of people’s digital lives. Companies that move fast to embrace the regulation as an asset can turn these changes into a commercial advantage that helps differentiate themselves from their direct competitors.

Consider going beyond the regulation and change your digital engagement practices, making the customer your friend. If you want ideas on how to do this, attend Privacy – the Competitive Advantage, I hope to see you there.

Geoff Revill is Innovator and Founder of Krowdthink. You can visit their website here.

To learn more about how Krowdthink and other privacy innovators are commercialising their trust models and about the opportunities the GDPR enables, you can sign up to attend this event: www.theprivacyadvantage.com