Have you seen the shift that is occurring? Perhaps driven by the news of Facebook and Cambridge Analytica data misuse, what was once mostly a concern that centered on data breaches (and how companies dealt with them) has expanded to the realm of data privacy.
People around the world have really begun to think about how their data is being used by the companies they do business with – as well as the social media platforms they enjoy. People want to know what companies know about them. This includes how their data is being used, who their personal data is being sold to, and how the growth of machine learning and AI will affect the use of that data.
Trust: The new currency
Data has been dubbed “the new oil,” but it’s trust in how companies manage this data that will be the differentiating competitive factor. Consider what billionaire investor Jim Mellon said on CNBC recently: “These fines are going to be enormous. They are going to be bigger than those that have been levied on banks in the last decade or so … The Cambridge Analytica thing is just the tip of the iceberg, in my opinion.”
The word is out: Organizations that mishandle the personal data and trust of their customers will be held accountable in the form of fines, damaged stock value and lost revenue.
GDPR: Dawning new era of data privacy
If those notable concerns weren’t enough to give pause, consider what is coming in less than a month. Data privacy and trust requirements will ratchet up even further on May 25 in the form of the General Data Protection Regulation (GDPR).
With the GDPR, fines can be levied up to €20 million, or 4 percent of an organization’s worldwide annual revenue (whichever is higher), for the misuse of EU residents’ personal data. It will not matter whether your company is based in the EU; if an organization processes the personal data of EU residents, it is on the hook for the GDPR. And the expectations of residents outside of the EU that organizations provide them with data privacy transparency has dramatically increased and will likely continue to do so as GDPR goes into effect.
Yet with the compliance deadline just weeks away, a SAS survey found that only 5 percent of EU organizations and 8 percent of US organizations are currently GDPR-compliant. And just 30 percent of U.S. organizations and 53 percent of EU organizations expect to be compliant by the May 25 deadline.
When it came to the impacts on their organization, the survey revealed even stronger sentiments:
- 89 percent thought the GDPR would have an impact on their organization.
- 84 percent of organizations thought the GDPR will help implement or improve data governance.
- 68 percent of organizations agree the GDPR will positively affect the trust between their organization and its customers.
Considering the large potential fines, support from EU residents, the positive impact the GDPR will have on organizations and now the publicity and public interest in data privacy, one must ask: Why do so few organizations expect to be ready by May 25?
It’s not for lack of caring or effort. Simply put, complying with the GDPR is not easy. With close to 100 articles covering 88 pages, the GDPR has challenged even the savviest data governance programs.
Consider some of the top challenges organizations cited from the SAS survey:
- Just 36 percent of organizations feel confident that they know where all their customers’ personal data resides.
- 45 percent state that process and policy handling, privacy assessments and anonymization are taking up the most time and budget for GDPR compliance.
- 49 percent feel the GDPR will have an impact on AI goals, with establishing informed consent being the biggest challenge.
Data privacy isn’t just an IT issue
Despite these challenges, GDPR compliance is within reach for every organization. Similar to previous data governance initiatives, it is imperative that organizations identify the right people, processes and software to make it successful. By identifying the major stakeholders and working with IT (not simply handing over to IT to handle), organizations will have won half the battle. Organizations will need to single out individuals who are adept at compliance policy and law and make them part of the process. Marketing and HR will also need to be involved, as they are often the internal data “owners” and are critical for setting the data policies.
Finally, when software is obtained, the stakeholders will need to consider what is already in place at the organization, and if it is able to meet the new challenges from the GDPR such as consent management and the right to be forgotten. Both are areas that weren’t addressed in many standard data governance programs pre-GDPR.
And I’d suggest that organizations not currently required to comply with GDPR begin looking at their data governance program and identifying ways to become more transparent with how they use their data, because consumers are beginning to demand it regardless of regulations.
A human right. Data rights. Governance in the age of privacy. Whatever you call it, the GDPR and demand for data privacy has arrived. Will it usher in other, more stringent laws around the globe? That is yet to be seen. But parting advice from companies that are ready – the GDPR isn’t a burden, it’s an opportunity. An opportunity to maintain and build trust with your customers – which is never a bad thing.
About the Author
Todd Wright, Global Lead GDPR Solutions at SAS, has 15 years of experience in data management software, including sales and marketing positions at DataFlux and SAS. Wright is instrumental in developing customer relationships and driving awareness, consideration, education and demand for SAS Data Management and GDPR solutions.
Sign up for the free insideAI News newsletter.
nice article Todd