25th of May 2018 is probably one of the most important dates for European companies this year. On this date, the General Data Protection Regulation – short ‘GDPR’ – will be implemented and binding for all European, but also a huge number of non-European companies worldwide. What is that about and what does it have to do with Digital?
In Short: What is it About?
The following list briefly summarizes the key components of the new regulation. As fines for non-compliance can amount to up to four percent of the global revenues of a company, these components are quite important.
– For every data set, the company must have explicit consent from the customer available, stored, and linked to the data. As company consents change over time, the version that a customer has agreed to is also important
– The “right to access” gives an individual the right to request all data that is stored about him or her. This information package needs to be portable and must include the purpose and the location of the storage
– The number of cyber security attacks has risen dramatically over the past years and companies do not always admit such attacks. With GDPR, companies have to report such privacy breaches within 72 hours to the regulator
– The “right to be forgotten” says that every individual can claim a complete deletion of his or her data. Therefore, companies have to adapt their data storage in such a way that they can track and precisely delete every data set that belongs to a certain person
– The principle of “privacy by design” requires companies to develop new applications and solutions in such a way that they – by design – favor the new standards of data privacy and e.g. ensure encryption of data throughout the processing of it
– Finally, a data processing officer is required for some companies; e.g. such that have to do with an extraordinary amount of data sets (mass data) or that store sensitive data
GDPR is Relevant for Everybody Processing Personal Data in Any Way
The regulation will be relevant to all companies that process the personal data of European citizens – may they be located within the European Union or even located outside the European Union. Important to note is that GDPR is not only relevant for large companies, but also for medium ones, small ones, and even private persons that process personal data in any way – for example bloggers that have conducted a lottery or collected comments with personal data.
What Does it Imply for European Digitalization?
Data is knowledge and power. Data can be the source of high revenue streams. Data has the potential to become a new currency. More and more companies believe in such or similar statements and develop data strategies that enable such statements. One pillar of these data strategies is usually to collect more and more data than they can analyze either today or shortly. Data strategies and Digital strategies go hand in hand, as a digitally matured company will always collect more data than a less matured one. This is because digitized processes provide much more potential for data collection at a higher speed.
With GDPR, it is the first time that owning data will also bring some duties, obligations or even a threat to companies across a larger region like the European Union. For German companies though, this is nothing new as the current German law (“BDSG”) has been the basis to develop GDPR for the European Union. However, for almost all others it is – especially for foreign companies that are not located in the European Union, but sell their services and goods there and hence handle European data.
There are a couple of likely situations:
1) Large and established European companies that have grown over decades have to clean and reorganize their data pools. Especially with different stores, many end customer data, different sites, and often decentralized or even non-digitized data storage now need to adapt a lot. For them, the threat coming from GDPR will be the biggest and those companies will probably need many resources to become ready. Other digitalization initiatives and projects will decrease in priority until they will have gotten their data right.
2) Large and global companies have to adapt their processes for the European market and they need the expertise and knowledge of how to do this. Their internal data handling will become more complex, as they most likely will not want to have all global customers have the same rights as European citizens. This would simply be an even bigger effort and threat to companies that have not yet mastered their data. For such companies, European business will bring more complexity, heterogeneous processes, and risks to their organization – making the market a little bit less attractive. Of course, this will not lead to global companies exiting the market, but it might lead to the decision to not offer some of their services anymore within the European Union.
3) Tech firms, startups, and other companies with innovative offerings often do not have full data control when they release new services to the market. However, doing this in the future in the European Union might have serious consequences. Hence, those companies will be more reluctant to release such services in the European market. They will rather test their services in markets where they do not have to threaten such fines and where they have more freedom to trial, error, and test their innovations and services. As a result, new and innovative services that include data processing are more likely to be launched outside the European Union first, before they are released within it.
Overall, the general data protection regulation brings many necessary rights and protection to customers. However, it should also be clear that stronger regulations in a region – as always – also have negative impacts on the region due to less compatibility with other markets. In the case of GDPR, I see a major negative impact on Europe’s Digitalization journey.
Happy to receive your comments if you have another argument!