Countdown to GDPR: Yes, it applies to you—no, you don’t have to panic

Vice President and Chief Data Officer, Analytics, IBM

Are you dealing with information that belongs to EU subjects? Does your company have a “Data Protection Officer”? If the answer the first question is yes and the answer to the second is no, then the new General Data Protection Regulation (GDPR) probably applies to you, and you might not be prepared to comply. That’s ok. There’s still time. But first… 

What is the GDPR? 

The GDPR is the biggest change in data privacy in Europe in two decades. It’s a complex and far-reaching regulation, comprising many duties and obligations related to the personal data of individuals in the European Union. The European Parliament passed the legislation in April of 2016 and it goes into full effect on May 25, 2018—less than one year from now. If you’re expecting a grace period next year, you might be sorely mistaken. For all intents and purposes, the grace period is now. 

Yes, it applies to you

The EU has more than 500 million citizens and 20 million active businesses, and virtually every one of them will be impacted directly by the GDPR. Even if you don’t have a physical market presence in the EU, you’re required to comply if you deliver paid or unpaid goods or services to EU subjects, handle or process their personal data, monitor their behavior, handle information for non-EU subjects that are in the EU, or even work with partners that operate in the EU.

Simply put, GDPR compliance will soon be a requirement for doing any sort of business with subjects in the EU, and using their data.

Yes, it could cost you—a lot 

The price of non-compliance could be significant. For each instance of noncompliance with GDPR, organizations could potentially face fines up to 20 million euros or 4 percent of worldwide annual turnover, whichever is greater. And of course, on top of the financial cost would be the possible loss of reputation and customer trust that non-compliance could cost you. 

Don’t panic. This is an opportunity. 

By now you might be thinking, “Uh oh. I don’t know anything about this and I’m pretty sure my company isn’t compliant.” You're not alone. 1 in 4 European businesses don’t know GDPR is coming. If you are aware of GDPR (great start!), chances are you aren’t faring much better. Only 20% of those who are aware say they’re already compliant, 59% of those aware say they’re working on it, and the remaining 21% say they’re not prepared at all.1

But now that we’ve gotten all the scary parts out of the way, I encourage you to view GDPR not as a burden or a chore—it is an opportunity to gain competitive advantage. By evaluating your data privacy and security measures and updating where necessary, you’ll be poised to increase customer trust and you’ll have a valuable selling point against competitors who aren’t GDPR-ready (not to mention, you won’t be bogged down in fines…).

Better governance means better insights

It’s not just about the improved reputation and customer accountability. Implementing the GDPR in your company will likely result in a stronger overall data strategy. Compliance will typically require your data landscape to be highly integrated and connected. You’ll need lineage and visibility into your data. You’ll need to be able to move or erase customer data upon requestand prove that you’ve done so. 

This might sound daunting, but if implemented properly your new integrated system of data governance can allow you to more deeply know your customers and interact with them in new, innovative ways that you couldn’t before. 

That’s because, with few exceptions, the new regulations require the data subject to define what you can do with their data, and once you obtain consent you will have increased flexibility to experiment with customer interaction. Customers will be protected by their ability to give and withdraw consent, and your organization will be protected by having clean lines of sight into all your data, so you know exactly what you can and cannot use, and how. You can use this confidence to innovate new ways of doing business altogether.

What now?

The GDPR comes into full effect in less than a year. It’s definitely crunch time, but it’s not too late. Your GDPR readiness strategy needs to span people, process and technology. Many organizations will be able to preserve some of the processes they already have, while building on them to fill in any gaps. Some steps toward GDPR readiness include documenting which personal data you hold, reviewing current privacy notices, and in some cases, designating a “Data Protection Officer” to take responsibility for compliance. But the real end goal for each organization should be an end-to-end, unified governance strategy.

IBM has already started helping clients on their journeys with a comprehensive approach spanning governance, employee training and communications, processes, data and security. There is no one-size-fits-all solution for becoming GDPR compliant, so it’s important to find a partner who can evaluate your readiness on all fronts and help you create a detailed roadmap for compliance that’s tailored to your business.

On June 22nd IBM hosted the Fast Track Your Data event in Munich,where attendees learned about preparing for GDPR. I was joined by John Bowman, Senior Principal at Promontory, an IBM company, who was the UK’s lead negotiator on the current data-protection standards as well as a key player in their evolution. Be sure to watch the replay now.

Parting thoughts: data as a human issue

It is easy for us to talk about data solely as a market resource, but the GDPR challenges us to look at data privacy as something closer to a human issue. Why not let the GDPR be the catalyst for a whole new perspective on governance that starts with your customers? A customer-centric, unified governance system for data can make your company a well-oiled, insight-driven machine that can lead to more repeat business and higher loyalty. The better governed your environment, the easier it is for data scientists to access data, the more complete your picture of customers will be, and the more creativity you can have in your interactions. GDPR doesn’t have to be scary; it might be just the thing that helps you interact better with humans, not just with data.

1. Proskura, Alexei, and Mark Child. New Offerings Make MFA and Encryption Accessible to SMEs as Data Protection Challenges European Organizations. Rep. An IDC White Paper Sponsored by ESET, Feb. 2017. Web.