It was around ten years in the making and may introduce a once-in-a-generation shift in data privacy and protection across Europe and beyond. The GDPR became law across Europe on 25 May 2018. PCM considers the ABC — the attitudes, behaviours and culture — of data stewardship and its implications.
The GDPR applies across all EU member states. Member states have flexibility in some areas to determine national implementations, for example the age at which children can give consent to personal data processing without parental approval. Yet for the most part, individuals have enhanced rights. Breach notification is mandatory. There are also greater enforcement penalties. At four percent of global turnover or €20 million, larger companies could be liable for millions, even billions, in fines for data breaches.
“Breach of GDPR rules can be misuse of data, i.e. using personal data where there is no consent, such as in marketing material, all the way through to not ensuring sufficient data security and being open to hacking,” explains Jon Szehofner, founding partner of the financial markets practice at law firm Gordon Dadds.
While the GDPR strengthens rights, it builds on existing privacy and data protection principles. The legal basis for privacy in Europe since the Second World War was enshrined in article 8 of the 1953 European Convention on Human Rights. This guarantees the right to respect for private and family life, one’s home and correspondence. 65 years on, privacy and data protection have become more not less important.
“Personal data has become a social and political issue. The GDPR has its roots in this social context and was accepted into European law in April 2016. It is intended to strengthen and unify data protection for individuals both within the EU and with respect to the export of their data outside the European Economic Area (EEA),” says Szehofner.
DATA IS THE NEW OIL
The 20th century saw a shift from valuing merely physical, tangible assets, such as land and factories, to valuing intangible ones. Reputation, brand, intellectual property, the R&D pipeline, IT and data became valued and valuable, too.
For example, Philip Morris acquired Kraft in 1988 for $12.9 billion, four times its book value. The former had long been trying to diversify its portfolio from tobacco products and the CEO, Hamish Marshall, justified the premium by saying “the future of consumer marketing belongs to the companies with the strongest brands.”
Similarly, UK government figures suggest that investment in intangible assets overtook that in tangible assets in the early 2000s. These intangible assets were also more resilient during the economic downturn. This trend is only set to continue.
Data is the motor to the modern, digital economy. However, amassing as much data as possible is not the whole story. Firms need enough of the right type of data. They need to mine it for relevant business insights. Post-GDPR, they especially need the right type of attitude to data and data stewardship.
“My approach was to prioritise a culture change in the stewardship of data, such that it facilitated opportunities for data use and data sharing — so that it would not become an impediment to legitimate uses of data — but it would penalise misuse of data,” said Sarah Ludford speaking at a Westminster e-forum. Ludford was formerly a member of the European parliament and worked on drafts of the regulation.
“We have had many high-profile cases of data loss, data breaches and fraud. This has a very damaging effect on consumer confidence. That is not in the interests of businesses or public bodies, who want to make the case for data,” she continued.
The GDPR may well overturn old cultural notions of data being a zero-sum gain. That the customer has to give up their data in exchange for a free service, as in the oft-quoted internet maxim: if you’re not paying for it, you’re not the customer; you’re the product.
The GDPR delivers an opportunity to turn privacy and data protection into a positive-sum gain. This may be based on better articulation of value or new value exchanges. Customers may be happy to exchange their data if they know what will be done with it and what they get in return. New value exchanges may be based on empowering customers to get more out of their own data. For example, presenting data back for customers to extract more value from it.
Facebook founder, Mark Zuckerberg, is alleged to have called early users of his site “dumb f—s” for handing over their data. Apple CEO, Tim Cook, issued a pointed rebuke to Facebook and its business model when news of the recent Cambridge Analytica scandal broke. “We could make a ton of money if we monetised our customers, if our customers were our product. We’ve elected not to do that…Privacy to us is a human right, a civil liberty,” said Cook.
Apple’s past strategic decision and positioning take the moral high ground. But more importantly, they are in line with European regulatory thinking. The principle that customers own their personal data is behind the GDPR but also PSD2, for example access to account information. Customers can choose how their data is used and shared.
“It is important to note that compliance/implementing the rules does not stop in May 2018. The policies and processes to comply with GDPR will become part of the firm’s DNA,” says Szehofner. Indeed, data is the the new oil. Payments and the social graph are just two of the wells. But with big data comes big responsibility. If firms collect, store and manage personal data, it also comes with a big stick: four percent of global turnover or €20 million, whichever is the greater.