Why GDPR can be—gasp!—good for your company
If you believe much of the press coverage, the European Union’s General Data Protection Regulation (GDPR) is a disaster waiting to happen for businesses. The Wall Street Journal, for example, claims there are “perhaps billions of dollars in fines waiting for those organizations that can’t or don’t comply.” A New York Times headline warns, “Tech Giants Brace for Europe’s New Data Privacy Rules.” The regulation, which goes into effect May 25, is a set of stringent rules governing data privacy in the 28 countries of the EU, as well as any companies that have a presence in the EU or process the data of residents of EU countries.
Companies themselves are fearful. In a report on GDPR, "Data privacy laws: Cutting the red tape," analyst firm Ovum says half of businesses surveyed expect to be fined due to GDPR, and more than 70 percent expect to need to increase their budgets in order to adhere to the new regulations.
But the regulations also have plenty of possible benefits. In this article, we look at the upside of GDPR and reasons to be glad your company is being nudged to participate. Among them: It forces companies to get a handle on all their data, including so-called dark data held in unstructured data stores; it helps ensure businesses make decisions based on accurate and relevant data; it enables savings in storage costs; and it helps companies get on the right side of their customers.
New funding and a focus on risk and privacy
GDPR forces companies to focus on data privacy and risks. Andrew Clearwater, director of privacy at OneTrust, says this is a good thing because companies will now get the resources to handle matters that in the past they may have neglected.
“This new funding for long-wanted privacy initiatives is very helpful,” Clearwater says. “Companies have likely known for quite some time that this is something they should tackle, but there just wasn’t enough business justification for doing it before. With the GDPR, they have it. So they’ve got the ability to make a real impact on their operations, and this goes beyond the obvious privacy implications, to things like properly mapping their data.”
Lois Boliek, director of the Security Center of Excellence at Hewlett Packard Enterprise Pointnext Services, adds that GDPR will make companies take an in-depth look at their current risk and privacy practices and security investments. “GDPR forces a risk and privacy assessment and an examination on whether you have the right controls in place,” she says. “A lot of companies may have an abundance of security products but now have to evaluate if their people, process, and technologies mitigate the right risks and protect personally identifiable information wherever it is accessed, stored, or processed. GDPR is an opportunity for companies to take a look at their security investments and decide whether they’re investing in the right things.”
Improving data quality and bringing “dark data” to light
Alexis Trittipo, associate partner at McKinsey & Co., believes that because GDPR forces companies to get a handle on the privacy of data, “it will be a chance for companies to rearchitect their data platforms. That will improve their internal data quality and allow them to build more flexibility in their data platforms that lets them respond to new needs that arise over time.”
The regulations also force companies to perform a comprehensive examination of their data, a task that likely hasn’t been done in years—if at all. That means going through all the data in production systems and other storage that is no longer used or needed. It also means looking at so-called dark data, unstructured information such as that found in presentations, spreadsheets, notes, and emails. To comply with GDPR, this data needs to be cleansed, analyzed, and purged—and that can lead to big benefits.
“As a best practice, whatever information is not needed should be deleted,” says Felix Martin, security strategist at HPE Pointnext's Global Security Center of Excellence. “Getting rid of unnecessary data can help optimize IT and storage costs. That will protect against non-compliance with GDPR and also protect the organization from accidental data leakage.”
Clearwater explains that, as a result of working to meet GDPR requirements, companies may come across data that was previously set aside for existing or now retired products. That gives them an opportunity to delete it to free up storage. He also notes that GDPR requires that companies look very deeply into their data to find information about individuals that in the past they might have missed.
“In the United States, when people think about data breaches, they may think about a Social Security number or driver’s license number being released,” Clearwater says. “But GDPR requires that you dig much more deeply than that. It can even be things like people’s IP addresses."
That forces companies to do a very deep data dive throughout the entire organization, perhaps in new ways. All that previously unexamined data can yield new business insights. “Examining newfound data and mapping its relationships to existing data could put companies in a position to launch new products that they hadn’t thought of before, because they didn’t have the data that showed a need for it or that would allow them to create it,” Clearwater says.
Going through the steps of examining, cleansing, and properly handling data can also improve how businesses operate, Martin says, and help ensure the company's business decisions are based on accurate and relevant information. "Integrity and accuracy of the data can drive better business decisions and improve business operations,” he notes. “And having good data management practices will improve efficiency throughout an organization. It will accelerate digital transformation with the adoption of new IT trends, such as big data use and IoT. And It will also improve operational processes and reduce the time it takes for procedures to run which require massive data use.”
Forging a closer relationship with customers
Data leaks and the improper collection of information about customers is increasingly in the news. People are showing that they’re less likely to be loyal to a company or its products if the company treats their personal data in a cavalier manner. That means adhering to GDPR guidelines can help companies gain the trust of existing and potential customers, which can have financial payoffs, experts say.
“GDPR can be good for companies because it helps build customer trust,” says McKinsey’s Trittipo. “And companies that are trusted more have a competitive advantage.”
HPE Pointnext's Boliek likens it to an insurance policy that protects against data breaches that can significantly harm a company’s reputation. Beyond that, she says, “it opens up channels of trust between you and your customer, and you and your business partners." Adhering to GDPR standards is a way for a company to assert, "You can trust us with your data. You can trust us with our business relationship." Boliek adds, "Trust is a competitive advantage.”
The Ovum GDPR report seems to confirm that premise. In what it calls the “Snowden effect,” the report notes that the United States is ranked the least-trusted of 20 industrialized economies when it comes to unauthorized access to sensitive information. (China is second, and Russia is third.) It says the new GDPR regulations will place U.S. companies at even more of a disadvantage, with “63 percent of respondents believing that the proposed EU GDPR regulations will make it harder for U.S. companies to compete, and 70 percent thinking the new legislation will favor European-based businesses.”
That disadvantage may be more than just theoretical. There’s a chance that U.S. companies (or companies elsewhere that don’t adhere to GDPR guidelines) may well be hurt in B2B markets. Boliek says that before the GDPR goes into effect, many EU-based companies are requiring existing and potential business partners and vendors to show exactly how they plan to adhere to GDPR guidelines. They’re doing that because they’ll be held responsible for any GDPR violations, even if the original data came from partners. So if those partners or potential partners can’t show that they adhere to the guidelines, there’s a good chance their businesses will be impacted. In contrast, companies that adhere to GDPR guidelines stand a chance of gaining new business.
As such, some people believe that countries outside the EU, notably the United States, may at some point require GDPR-like privacy protections so that they can better compete in the global economy. “Regulators often learn from what works well in other countries or jurisdictions,” Trittipo says.
Boliek agrees: “I think eventually the United States will require something similar to the GDPR.”
So don’t think of the GDPR as the end of national and international privacy regulations. At some point, round two may come to the United States, bringing with it temporary pain, but also potentially long-term benefits.
Why GDPR can be good for your company: Lessons for leaders
- It forces a risk and privacy assessment and an examination of whether you have the right controls in place.
- It’s a chance for companies to rearchitect their data platforms.
- It forces companies to perform a comprehensive examination of their data, which likely hasn’t been done in years.
- It can help gain the trust of existing and potential customers.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.