Putting the GDPR to work for you

With the GDPR deadline looming, plenty of businesses are still feeling the pain. You’re finalizing controller/processor contracts, absorbing costs for privacy audits, maybe you’ve even done data protection impact assessments if your industry works with sensitive financial or health information. There have been risk assessments, new privacy statements and internal data retention policies are ready to go, and you’ll launch new incident management processes by May 25. As with any sweeping change of this scale, you’ve had to create the necessary training materials and programs. Perhaps you’ve needed to move data stored in one country to a datacenter in another country, or invest in additional on-site storage capacity to accommodate new documentation requirements. Or, worse yet, you’re still in the middle of implementing your GDPR project, and you’re not going to be ready by the deadline. In that case, you’re currently experiencing the worst of both worlds: all the cost and headaches of compliance and the risk of enforcement and hefty fines. But I’m here to tell you today: it’s all worth it, and for more reasons than you may have assumed.

A rising tide lifts all boats

So, not everyone has the same starting point. Some companies, when faced with the daunting task of GDPR compliance, first had to figure out where all their data was even located. Most larger corporations, however, will already have had at least some semblance of a privacy or data protection program in place. GDPR compliance by modifying existing processes is generally easier and less costly than starting from square one. You might think companies with this type of head start are still enjoying a huge advantage now. But that is only true if you view compliance as the sole outcome of the sweeping changes organizations are making in the run-up to (and aftermath of) May 25. 

As anyone who has ever dealt with risk management on an institutional level can attest, not every risk is adequately covered at all times. Larger organizations lacking structured data protection policies and processes were likely exposed to significant risk, whether it was on their agenda to address those risks or not. Paradoxically, it may be the businesses that were least prepared two years ago who stand to gain the most now, considering the baseline risk they started with. Because the changes they’ve been forced to implement for the GDPR will not only protect them from fines and penalties, but also from the losses that preventable data breaches can result in.

The struggle is real

And these types of data disasters do happen — the last few years have been littered with headlines of massive data heists. Take Yahoo’s famous breach, for example. The tech giant first revealed in 2014 while trying to negotiate the sale of its business to Verizon that 500 million users had had their names, emails, birthdates, and telephone numbers stolen by a state-sponsored actor. Not long after, that number jumped to 1 billion and just last year, it was revealed that all 3 billion user accounts were affected. The initial reports cost Yahoo at least $350 million as it negotiated the sale of the company to Verizon. Other infamous thefts occurred at Adult Friend Finder (talk about sensitive data), eBay, and Equifax. And we’re only talking about breaches we know about. Some estimate that as much as 85% of data breaches go undetected.

Viewed from this perspective, being forced to step up your data protection game might not be quite so bad after all. In fact, Infosecurity Magazine reported that average compliance costs come in at around $5.5 million per year, while non-compliance costs companies a whopping $14.8 million. In other words, non-compliance can be nearly three times as expensive as compliance.

Think European, act global

Although much maligned by the press for supposedly not planning to meet all requirements of the GDPR (think data control, portability, erasure) in all countries where Facebook users reside, Mark Zuckerberg has nonetheless claimed his company will at minimum offer GDPR “controls and settings” to all users around the globe. Some have predicted that international GDPR compliance by Facebook could have a knock-on effect and lead other tech giants to follow suit.

And the new regulation is casting a much wider net than just European businesses and large multinationals. Companies need not be based in the EU to be subject to the new regulations. It’s enough for an entity outside the EU to merely have a website and market their products online to EU citizens. Because according to Article 3 of the GDPR, collecting data such as web analytics on someone’s behavior within the EU means you are are technically subject to GDPR requirements. It’s nearly certain that there are countless entities outside the EU still blissfully unaware of (or unconcerned about) their obligations under the new law. For non-EU-based companies just learning of these new data protection realities, new services now promise to protect against GDPR exposure for instance by simply blocking all web traffic from the EU.

Catch me if you can

But enforcement against US companies, for instance, will surely be difficult for EU regulators when there is no comparable US law, you might think. Especially for foreign companies with a physical presence in the EU, member states can in fact enforce regulations directly by means of those European assets. And companies that aren’t physically established in the EU will have to appoint a representative located in the EU, who will be held accountable for any violations. Furthermore, cooperation between EU and US authorities on the topic of data protection has been improving for some time now. 

If the EU gives you lemons, make lemonade

A single consumer often uses multiple digital login credentials, in other words, multiple identities. But with the data portability requirements of the GDPR, all information stored on a particular person must be provided upon request. This makes it important to manage all of those many identities and associate each one with the proper individual, a process referred to as customer identity management.

But customer identity management is not only about data protection. Being able to associate multiple logins across several devices to a single individual gives businesses the ability to market directly to the individual based on their own personal preferences and all of their behaviors across different platforms and channels. Marketers talk about hyperpersonalization — and it can be leveraged as a competitive advantage. This is nothing less than an opportunity to build that holy-grail — a 360-degree view of the customer — that marketers have been lusting after for ages.

But there are attractive capabilities resulting from GDPR compliance that can be marketed directly to the consumer as well. By offering customers easy access to all their data, businesses can turn GDPR compliance into a desirable feature it can sell as a unique advantage of its products or services. Complete transparency with respect to data processing and protection helps businesses earn credibility and trust, two things that can certainly impact the bottom line.

Colocation providers at ground zero

From our end, we’re seeing heightened demand from collocation providers for our solutions as companies move data to the most strategic location for their particular compliance scenario. Also, people need somewhere to store all the additional documentation required for compliance. For these providers, capacity and power efficiency of their datacenters are high priorities right now. Providing efficient backup power and datacenter management solutions is our way of helping them deal with the GDPR.

And if you think about it, there is an interesting parallel here. GDPR compliance and the capabilities it requires is a good investment because it avoids prohibitive costs in the future. Much the same way that investing in advanced power supply technologies is a good investment. Because downtime for your datacenter can certainly result in financial losses that rival what the GDPR threatens for non-compliance. Or, you can view both situations from a more positive perspective: leveraging your investment in the GDPR can give you the same type of competitive advantage as investing in state-of-the art UPS systems for your datacenter. Sure, both help you avoid catastrophic losses. But those investments have value beyond merely averting disaster. Capitalizing on that value simply requires a bit of creativity — and the ability to communicate that what you are doing is better for the people who depend on you.