With only two months to go until the May 25 deadline, news of the General Data Protection Regulation (GDPR) is everywhere. While companies scramble to implement strict internal policies and journalists fill their columns with dire warnings for non-compliance (monetary fines are up to four percent of annual global turnover), one aspect at the very heart of the upcoming regulation has been largely overshadowed – its impact on the customer.
To get the most out of GDPR, companies need to think in terms of respect, not ramifications. As its name suggests, GDPR is by definition a regulation, and as such it is thought of by most as a punishment of sorts, to be adhered to or risk the consequences. But that perspective reflects what GDPR does, not what it is. At its core, GDPR is a protective measure, meant to rekindle trust in the modern consumer. There’s a “P” in its title for a reason.
A Brief History of Privacy Protection
Though largely characterized in the press as a sweeping new legislation, in point of fact GDPR is only the latest – albeit the most powerful and far-reaching – in a series of data protection regulation initiatives. To truly understand the intent of GDPR, we need to investigate the foundations on which its primary principles are built.
What many do not realize is that data protection regulation within the EU is over two decades old. Today’s EU data protection standard is spelled out by the 1995 Data Protection Directive (DPD), which, while well-meaning, lacked a unified level of commitment by EU privacy regulators. While some members such as Spain and Germany imposed strict privacy compliance requirements, others had few, if any. To a large extent, this left customers feeling vulnerable, to be used by companies as simply a means to an end. This proliferated a sense that there was a lack of respect on the part of companies toward their customers.
Basically, GDPR is DPD 2.0, giving the old regulations sharper teeth and greater reach in an effort to address the legitimate concerns and growing fears of an increasingly connected customer. It also enlarges its reach to include the needs of an expanding global market by seeking to promote “the improvement of corporate data transfer rules outside the European Union,” such as with companies residing in the United States. Taken this way, GDPR should not be viewed as a penalty imposed upon single-minded companies, but as a protective measure meant to safeguard the ever-expanding mountain of personal data brought to light by the proliferation of emerging technologies. After all, new methods call for new governance.
Respect is Earned, Not Enforced
The ways in which GDPR will require companies to make significant and often costly changes to the methods they use to acquire, store, analyze and use personal data have already been well documented. Some organizations have gone so far as to invest in a dedicated department to ensure internal compliance. This is the price the market demands for allowing us access to the information we need to gain a better understanding of our customer base. But companies who view GDPR as a gauntlet to be run are missing the big picture. GDPR was created for the simple reason that privacy is a delicate matter and, like any exercise in trust, it should be handled with care. Giving control of personal data back to the individual is simply the right thing to do.
Looked at from this perspective, GDPR becomes not so much about how we extract the data itself, but how we communicate with our customers. It is not only about regulating information, it is also about regulating emotions. Rather than highlight what we must do to avoid the penalties, we should emphasize our desire to protect our customers, who now have more choice on how their personal data is collected and shared with us. The focus shifts from “doing to” our customers to “doing with” them. When we are transparent and respectful, we are effective.
Just as in implementing a solid CSR initiative (see my earlier two-part CSR series), companies with the foresight to view GDPR from the outside-in gain the power to transform this regulation from a collection of legal hurdles to be overcome into a golden opportunity to form a bond of trust with the customer and open new and potentially powerful channels of dialogue. In this way, GDPR turns from regulatory nightmare into stellar opportunity for customer engagement. If we must spend the money and allocate the resources to establish compliance, why not build a bridge between company and customer in doing so?
A recurring theme throughout my blogs involves the power shift within the customer/company relationship. Digitization has given customers greater control over how companies communicate, how they operate, even what raw materials and production methods they use. The advent of GDPR now gives them control over their own personal information as well. By being transparent in our approach to information gathering, customers see that we care about them, not just the data they represent. And to today’s hyper-connected customer, that makes all the difference.