Three months have passed since the day GDPR came into effect, May 25th, 2018. The noise around new terms and conditions has died down, and astonishingly we are still non-European firms and web sites like the LA Times and the Chicago Tribune denying access
to EU visitors on the basis of GDPR - one has to draw the conclusion that these firms have completely missed the opportunity which is GDPR!
One of the distinctions is that it affects not only European firms, but any firm worldwide who handle data related to European individuals which certainly has got the attention of firms such as these - couple this with the wealth of regulatory consultants,
law firms, and other consulting operations have, over the past months, been making a fortune selling fear, uncertainty and doubt around GDPR.
Like so many of the waves of regulations that firms have been faced with in recent years, many firms have taken the approach of burying their heads in the sand, not taking action early enough and faced with a looming compliance date rush to implement the
bare minimum to scrape through and continue to do the business tomorrow that they do today, whilst putting in place a contingency budget to cover the fines that many expect they will receive when Europe's data protection authorities start to look at what is
going on with data relating to Europeans.
So, how then can GDPR ever be called the opportunity of the decade? Surely it is just one more burden that firms must contend with in today's regulated world. Well, firstly Matt has been quoted as saying "to profit from regulatory compliance firms need to
think several steps ahead", in the case of GDPR this is never less true.
For those who take a different look at the regulation will find that it contains opportunities, not to do tomorrow what we do today, but to do something different, more customer centric, more profitable, than we do today. Putting ownership and control of
the customer's data into the hands of the customer themselves is, in itself, the dawn of the data economy.
If I, the consumer, own and control who I share my personal data with people who have required protection for my data, I can also actually benefit by it. By sharing my personal data I can be offered investment products which are not only aligned with my
investment objectives, but also aligned with my social objectives. I can be offered personalised products which suit my personal needs at any point in time. Imagine, I am also rewarded with lower insurance premiums for sharing where and when I drive. This
list of possibilities is so huge that it is hard to imagine all of them - all of this is made possible through GDPR because you now have the inventory of all the information that you hold when you undertake to be compliant with GDPR. All this personal data
is a goldmine for any firm offering consumer products and services. The long talked about data economy was born on May 25th, 2018.
So, if there are so many opportunities out there, how do firms take advantage, whilst being compliant with the regulation? Is compliance really the monster that many have styled it to be?
Firstly, firms do need to do have in place the basic "hygiene factors" - which you really should be doing anyway when you process or store personal data. That means knowing:
- what data you have?
- where it is stored?
- how is it protected?
- who has access to it?
- where third party firms have access, are they compliant?
- what due diligence is being done on suppliers and subcontractors?
- if policies and procedures in place?
- are the staff trained to look out for untoward incidents and take quick action to plug the problem before extensive damage occurs?
- are application and vendor software changes and releases GDPR compliant before implementation?.
- are customers informed that there are protections in place for their data and an opt-in function? Do clients trust your processes and brand with their data and information?
- are verified protections in place? – be it data at rest encryption, proper access rights, to sensitive data, multi-factor authentication, on a periodic basis within your systems and your vendor’s systems.
So, if firms aren't meeting these initial "hygiene factors" what can they do? Well fortunately there are tools available to help.
It starts with an initial risk assessment exercise. Once firms have completed this initial exercise, guess what, they are already ready to start profiting from their data. If we now know what we have, and that the data is accurate (after all GDPR mandates
that it must be), we can already start using technology to understand our customer base.
Now, to really create new products and new services which better understand the customer, we need the customer to give us access to other data about them... there are platforms in place which allow the customer to control with whom his data is shared. One
such example is The Hat Community Foundation, who have created just such a platform, open source, giving individuals control over their own data - for free.
Fortunately, other regulations, like PSD2 mandate access to transaction information. Driven by a demand for open banking, suddenly individuals can share their financial data with other providers. No longer being placed in a bucket financial service firms
assess an individual’s standing, and thereby risk or opportunity even against behaviour with their competitors. Individuals can exchange their full financial state, across institutions for access to loans, mortgages, and other personal financing products with
better conditions or investment products tailored to their individual needs.
Is GDPR the start of a data revolution - a European revolution, based upon European values, for once not copying the model from across the pond, but taking the lead? It would just be silly to bury our heads in the sand and pretend it isn't happening, after
all, GDPR is the opportunity of the decade for those who embrace it.