Why businesses need to stop worrying and embrace GDPR

GDPR was a big moment in how we think about data. For many organisations it felt almost confrontational, as if the world that they had gotten used to had simply been broken apart, strategies and business models suddenly obsolete and ineffective.

While you’d expect most companies to be pretty comfortable with it, stats suggest that there is still a shocking lack of compliance. The fact that fines for GDPR breaches grew 40% in 2020 highlights that there’s still a lot more to be done - indeed, it might even be a sign that regulators are getting tougher on those that flout the rules.

While it might be tempting to view GDPR as a threat to the data-driven world we’ve become used to over the last decade, the reality is that it’s here to stay. Indeed, failing to engage with it isn’t only risky from a compliance perspective, it’s also dangerous from a brand and operational one. In other words, rather than just seeing GDPR as a law that we need to follow - as if the EU are our strict and overbearing parents - we should instead see it as a guide to:

• Build trust with customers and users
• Force us to focus on what really matters when it comes to data collection and usage
  
  

GDPR matters because trust matters to consumers

Let’s get to the first point: trust matters to consumers. The use of ad blockers is growing all the time and research consistently shows that there’s a lack of trust when it comes to businesses - digital ones in particular. 

This means that compliance isn’t simply a legal issue, it’s also one that will become table stakes for all industries. It will erode trust and tarnish your brand. Consumers are smart - even if they don’t make a noise about transgressions, they see them and yes, they judge you for them as well.

Talk to us about building a data strategy that deepens trust with your customers. Get in touch.

Increasing legislation around the world

If that isn’t a compelling reason to embrace GDPR, then consider that increased consumer awareness is only going to lead to legislation elsewhere. There are many reasons why it’s foolish to overlook GDPR simply because you don’t see the EU as customers. (1. Are you sure? 2. If they’re not now, then why not next year? Why limit your market? Surely the whole point of digital is the ease with which you can scale?) But that aside, similar legislation is going to be emerging in other parts of the world too.

• California has the California Consumer Privacy Act (CCPA), which came into effect in 2020; this will be strengthened by the California Consumer Privacy Rights Act (CPRA) which comes into effect in 2023.
• China’s Personal Information Protection Law is still being reviewed by lawmakers, but it is likely to mirror the types of protections GDPR has put in place.
• Brazil’s Lei Geral de Proteção de Dados came into effect last year - it’s the first data protection law in South America.
  
  

Those are just three examples - there are many more. This is a pattern that forms a trend that organisations can’t ignore. If they do they risk both fines or - possibly worse - a tarnished reputation.

Read next: Future trends in data engineering

The UK’s rhetoric is the exception, not the rule

Recent comments by the UK’s Secretary for Digital, Culture, Media, and Sport, Oliver Dowden, suggests that a post-Brexit Britain will be fighting back against the ostensible restrictiveness of GDPR rules. He spoke of the need to “[reform] our own data laws so that they’re based on common sense, not box-ticking.” It’s hard to see this as little more than rhetoric - the reality is that data laws need to be interoperable with others around the world - if you want to do business with, say Europe (as the UK will), businesses will need to treat citizen data in accordance with EU law. Dowden can’t change that.

As privacy advocate Heather Burns said to Wired, “It’s almost surreal when everyone from the United States to China is moving towards greater protections and privacy, that it’s just the UK moving in the direction of ‘scrap all that, get rid of it, let’s have fun with all the data.’”

Businesses would be wise to think globally. Dowden’s revanchism is misguided at best.

We can help evolve your data strategy. Learn more.

GDPR forces businesses to sharpen their data strategy

But it’s about more than compliance. The reason to embrace GDPR - even if it does feel difficult and restrictive - is because it will sharpen the way we use data.

This is smart in almost every context. From a financial one, it means businesses can stop investing in big data projects that have been initiated purely because of the seductions of scale. In short, by following the clear rules around user/citizen consent, we should stop trying to collect and store information that isn’t going to make a tangible difference to products, services or operations.

This restrictiveness then places the onus on more clearly defined strategies. It forces organisations to ask:

• Why do I need this data?
• What am I going to do with it?
• How is it going to add value?
  

Rather than asking these questions once that data has been gathered and takes up space somewhere, that line of questioning can structure your whole approach.

From an architectural and analytics perspective, the work you do can follow on from your answers to such questions. It provides a framework to answer things like:

• Which vendors should we use?
• What tools/stack should we have in place?
• What architectural patterns make the most sense?
• How should we share this data internally?

When you consider that data is as much a point of vulnerability - it can be stolen, lost, held to ransom - being clear about what you need and why means you’re no longer exposing yourself to unnecessary risk. As ransomware attacks appear to be on the rise, and we introduce more system complexity, practicing good data hygiene is a security and a reliability issue as much as a compliance one.

Data protection ‘rules’ can underpin better experiences and add value

It’s sometimes said that rules and restrictions can aid creativity - that having parameters makes you think differently about problems and focuses minds. That’s a good way of thinking about GDPR. Indeed, they shouldn’t be thought of as restrictions, but rather as a framework for helping us recognise and acknowledge user consent. This shouldn’t make businesses feel uncomfortable - consenting users will, after all, be more engaged and more loyal. What’s more, the value exchange that takes place in every interaction will be more visible and transparent - and ultimately that’s good for business.