We’re Months Into GDPR. So, What’s Next?
Facebook recently lost $120 billion in market cap in a single day, citing three reasons for its Q2 earnings miss and lowered earnings expectations: the Cambridge Analytica scandal, global currency fluctuations and the General Data Protection Regulation, or GDPR. Yet it is noteworthy that Q2 2018 only saw five weeks where GDPR was in effect, and two of the three factors Facebook called out were related to influences from GDPR.
Over the past few months, consumers have grown weary of the overwhelming amount of emails, prompts, and mail that require they review brands’ privacy policies and agree to new privacy terms. Many of these are ‘all or nothing’ agreements where if you do not agree, the entire service in unavailable. This is non-compliant with GDPR, if parts of the service do not use personal data. These initial adjustments mostly address the gaping holes in GDPR compliance, and is only the beginning of a continuous period of adjustment leading to more comprehensive solutions.
This is due to the fact that most organizations are still not settled in to the new GDPR rules, as there remains the perception that GDPR regulations are something that a compliance, marketing or IT department should handle on it’s own. So as a result, many organizations ignored the foreboding signs of the new law. Other companies divided GDPR-related responsibilities amongst a handful of departments that don’t regularly communicate with one another, leading to gaps in data lineage, traceability, security and linking consents to usage of data. This is why taking a connected-data approach to GDPR is critical for alleviating headaches that stem from these kinds of inter-departamental scrambles.
The Struggle to Comply
The 14 largest companies in the world, including Facebook, are still not GDPR compliant. Consumers still cannot obtain access to all the data that companies have on them, leading to the consequences like Facebook losing approximately one million European monthly active users. Apple is one of the few gargantuan companies that seem to be providing most of the data that they have on individuals.
Compliance has been an issue across a breadth of industries. Over $8 billion in lawsuits have been filed over GDPR breaches by independent parties and there has been four times as many reported data breaches since May in the EU. Search and ad-based companies are being impacted based on their public statements. Multiple companies are also fretting about outbound marketing difficulty, as some are having to clean up their databases of acquired leads as their lead sources were unknown or not trustworthy.
How to More Easily Handle Compliance
Generally, most organizations took an unstructured approach to the GDPR deadline. Now that some time has passed, this has provided time to take a step back to understand what is and what isn’t working. The lack of cohesive data and poor communication in many GDPR compliance strategies is further reason why a connected data approach should be considered. This can help organizations avoid losing or failing to recognize important data, particularly as it pertains to compliance.
In order to address the problem, the first step is recognition that GDPR is not a marketing problem, an IT problem, or a security problem. Instead, it’s something that should be addressed throughout all departments within an organization with broad perspective to ensure no stone is left unturned.
Employing technology that connects a subject’s personal data with consents, usage, and data location (among others) makes your compliance spend more strategic, as it provides comprehensive traceability to personal data. Such a connected data solution also grants access to in-depth business analytics. This will in turn help organizations discover new opportunities to serve customers better and operate more efficiently. As a result, organizations can also better ensure data governance and thereby reduce compliance risk.
The Future: California Consumer Privacy Act of 2018
On June 28, California passed the new California Consumer Privacy Act of 2018 that is affecting the landscape of privacy laws and compliance for years to come. The new law, which goes into effect on January 1, 2020, gives Californians more control over the information businesses collect on them, as well as imposing new requirements and prohibitions on businesses.
Any company that has data on California consumers, regardless of if the organization is based in California, will have to take drastic measures to ensure they remain compliant with the forthcoming standards. Essentially, any company that has personal data on a California resident needs to comply. Now even those U.S.-based companies that weren’t impacted by GDPR are in the spotlight and it’s critical to not procrastinate on this. As we have seen with GDPR, one and a half years is not enough. If GDPR didn’t get you the first time, this one certainly will.
Global companies can and should try to address the requirements of the California Consumer Privacy Act, EU GDPR and other privacy regimes simultaneously and holistically using the connected data approach, in the interest of efficiency. Efficient technology, preparation and process spent on both the California Consumer Privacy Act of 2018 and GDPR will help alleviate headaches this new law could create, particularly for the likes of Facebook for whom GDPR has proved to be a significant hurdle. Using a connected data approach will help provide transparency, meaning that organizations can build a stronger level of trust with customers and prospects while adapting to a changing regulatory environment as similar laws get enacted across the world.