After 3 Years of GDPR, Lessons Learned and Key Actions to Take in Data Governance
With year 3 of the European Union’s groundbreaking General Data Protection Regulation (GDPR) complete, it’s worth reflecting on this personal data privacy revolution and the best practices learned to help future success as we enter year 4. Has the GDPR become an unnecessary compliance burden—or is it a catalyst to creating new value from data?
In 2018, the GDPR opened up a new era for personal privacy regulations—not just for the EU, but also by raising the bar for global awareness and establishing a new focus on data use transparency. European consumers could now enforce their rights over how their personal data is handled responsibly—how, where, what is being used—so they could agree to the “why” of risk exposure from businesses that are creating new value from their data.
With personal data being generated exponentially across eCommerce sites and stored across IoT devices, new terms such as “right to be forgotten” offered the ability to erase personal data. And if organizations could not respond in time and with clarity, severe fines could be enforced. But how has the intersection of consumer rights with business value creation helped make customer experience better, so that businesses and consumers win?
What have we learned since the GDPR took effect
The May 25, 2018 milestone was a bit of a letdown, as we didn’t see (or expect) massive regulatory fines on Day 1. But what we discovered is that organizations would begin to understand privacy risks better, and GDPR enabled the starting point to a longer-term journey. For leading-edge organizations that embraced responsible data use, the GDPR became a new opportunity to improve data governance for gaining greater clarity and control over personally identifiable data within their care.
The GDPR demonstrated that people are concerned about privacy rights and this impacts brand loyalty
Privacy rights are now part of the public discourse and consumers are now increasingly exercising their rights to opt in or out, and take control. The stats demonstrate that people are more likely to hand over personal information to organizations they trust and that’s a differentiator for companies who took the GDPR seriously—and a liability for others in lost opportunities. Consider the consumer loyalty implications from a survey as the GDPR took effect:
- 69% of consumers prepared to boycott any company if protection not taken seriously
- 62% would blame a company first before a hacker during a data breach
- 83% would stop spending for serval months after a breach or incident, and
- 21% would not return to a company after a breach or incident is suffered.
Today the discussion is moving further mainstream, not only after high-profile GDPR fines began to raise awareness, but in adopting new data privacy standards, for example Apple’s App Store policies. Personal data privacy is in the public consciousness and most everyone has an opinion, thanks to the GDPR groundwork of the last few years.
The GDPR paved a foundation for global privacy law to raise standards and create new ones
The GDPR hardened data protection controls that accelerated the need for companies to improve data governance that includes using data discovery and classification tools—because you can’t protect what you don’t know you have. Most importantly, the GDPR began the conversation on what exactly is personal data? How do we define it?
We saw this debate intensify with California’s CCPA legislation and other US states, extending privacy rights to households, debating if employee data is exempt, or considering if biometrics and location data are also in scope. What started with the GDPR expanded into a global race with expanded personal data definitions and updated approaches for responsible use to be monitored, reducing risks such as identity theft and identity-based tracking.
As we enter year 4, it’s now clear that establishing a mature data governance practice to manage and enforce privacy policies is a must for every organization. Using artificial intelligence and machine learning, companies are automating data discovery and classification, streamlining data subject reporting, enforcing data protection rules, and enabling risk analytics for reporting insights. For any large organization, this is impossible to do manually using tools such as spreadsheets or coordinating across departmental silos. Personal data privacy has created the need for a repeatable, enterprise, framework that scales—while remaining agile to new data definitions and evolving global regulatory requirements that include the GDPR and beyond.
The GDPR has helped improve customer understanding for targeted products and services with trust
After three years of GDPR experience, we now see how customer experience has improved for leading edge companies with more mature data governance and privacy programs who took their responsibility seriously to preserve and grow customer loyalty with a better understanding of customer needs. Data analytics programs are being made safer to democratize, creating the rise of the citizen analyst to develop new customer-centric products and services from personal data, without exposing unnecessary risks. This is a win-win!
The GDPR may have started as a cost of doing business, but has become a differentiator to demonstrate ethical data use. It is now a competitive advantage to operationalize customer trust. One example of the global impact of the GDPR is Realogy, one of the world’s most ethical companies based in the US:
Realogy uses consumers’ personal data to analyze and improve its business, provide better support and services, and personalize content and marketing experiences, without compromising legal obligations. Like many companies, Realogy is undergoing a digital transformation, and its software developers need to work and test with real data to deliver new digital services.
Realogy is redefining how developers, field agents and real estate consumers benefit from safe data handling in the real estate industry—not only from GDPR compliance as a forcing function, but as a catalyst to accelerate digital transformation. By understanding customer rights, they have put the tools in place to understand and improve customer experience by incorporating preferences with positive results!
Managing GDPR privacy risk exposure is helping accelerate the road back to normal in 2021
Finally, over the last year, the global pandemic created new risks to data exposure and use. While the GDPR helped enable transparency, organizations have now focused transparency on remote workforce data use and supply chain movement. Data protection and transparency under the GDPR is helping to grow and sustain resiliency during uncertain times, proving that mature data governance programs can manage unexpected risks—much like a data exposure “vaccine” for businesses.
Taking further action: The GDPR as an opportunity to improve data governance
While the GDPR changed the game for privacy rights enforcement, it also brought about much needed change that we can all learn from in moving forward. Here are three critical actions that executives must take moving forward:
1. Empower everyone in your organization to become a trusted data steward
With consumer awareness about privacy rights growing and data literacy expanding across organizations, the GDPR has helped organizations to re-think how they handle personal data responsibly so that it aligns with consumer expectations to preserve trust—in doing so, customer loyalty has become a key differentiator. Establishing data privacy governance increases data quality and trust, and that’s good for business.
2. Move beyond single-point, disconnected solutions to a holistic data governance framework
Isolated departmental security, risk and compliance solutions, along with manual procedures to manage data, simply can’t scale. By operationalizing a data privacy governance framework across the enterprise, organizations are better able to scale out and remain agile to global legislation and meet new personal data privacy risks head on. Data privacy governance improves organizational ability to adapt to change.
3. Build a culture where GDPR is beyond just a compliance mandate to becoming a value creation accelerator
As organizations democratize personal data use, generate new insights from analytics, and adopt cloud solutions, they are able to accelerate digital transformation with lower risks. While it may be easy to approach the GDPR as a cost of doing business, companies that take data privacy seriously will reap the benefits in value creation opportunities. Data privacy programs help to accelerate bottom line results!
As the GDPR enters year 4 and new, expanded, legislation mirrors its impact globally, organizations are now applying the best practices learned to scale out data privacy governance programs, manage data responsibly, and stay resilient to changes in privacy laws, without slowing down their digital transformation agendas. It is time for companies to now make GDPR a key enabler of digital transformation with data privacy and security as a design principle.