In a wash of emails that reminded many Americans that even the most forward-thinking of companies can be subject to procrastination, the GDPR finally went into effect some weeks ago, after a two-year grace period which the companies could have used (but most didn’t) to update their privacy policies and notify their customers. Ironically, that flood of emails virtually guaranteed that no one would read the majority of those privacy notices, which were supposed to be construed in a simpler way, allowing people to more easily understand how their data was being gathered, used, and stored. Against the background of all this was a fair (and understandable) amount of complaining from both business owners and users. But for those paying attention, this onerous reform wasn’t an obstacle for business owners, but rather the way forward in our ever-evolving digital world.
Many of us conflate the issues of data privacy and data security, but they are simply related, not equivalent. The GDPR (General Data Protection Regulation, in case you were wondering) is concerned simply with privacy, not security. In a certain sense, one can’t really legislate against data theft any more than one can legislate against bank robbery. It’s illegal to steal, but theft will still occur.In relation to the theft of our data, the GDPR is basically stating that it doesn’t matter how secure the data you hold is if you don’t have the right to the data in the first place. Now that the legislation is in force worldwide users have to give their consent explicitly and clearly for any uses you make of their “data” (a term which can include personal identifiers, location, biometrics, etc.), or it cannot be kept or used.It’s been a good opportunity for me to take this digital lesson into the real world and revisit the ways I treat (and have treated) private data. Do I have personal practices set up? Do my staff? Does our company (having an appointed “data protection officer” and auditing the data we already have were just two of the many steps we could take)? Have we looked at where and how our cloud services operate? (Geography does matter, even in the cloud) In the short-term negative answers could simply be prohibition from doing business in the EU, but long-term, many non-European users may have similar expectations, and it doesn’t make sense for our businesses to self-impose restrictions on ourselves in a world which constantly offers more opportunity through greater connectivity. Instead of focusing solely on the impact to users, we can have confidence that once we have users’ permission through GDPR compliance, we have got a way to identify new business opportunities, with an opted-in marketplace.
Users say they value privacy, but the increasing sales of devices like the Amazon Echo and the willingness to ignore the aforementioned flood of emails seem to indicate otherwise. One take could be that perhaps users don’t know what they really want. Another is that the nature of the digital world and the Internet of Things is changing our expectations, and in a sense, the very nature of what we think of when it comes to privacy.Businesses need to embrace this in the way they innovate and create. By making sure their clients know how and why their data is being collected, users can be offered opportunities to help trial and beta test new products and services businesses may have to offer. While there are a fair number of companies who used the GDPR as a reason to shutter their European operations, other companies can take the opportunity to involve their clients more. If everyone at the table sees privacy as important, users will respect, not resent your asking them for data to help you help them more.
Edward Snowden, Wikileaks, Cambridge Analytica…these names all remind us that our data is being used regularly, sometimes with neutral or benign intentions, but sometimes with invasive ones. This can trigger latent fear and distrust between clients and companies. GDPR offers a genuine opportunity to move away from these fears, understandably grounded in long and murky privacy policies, to ones that are simple, not just from the wording and legal perspective, but from the practical one, that users will deal with on a day-to-day basis.No one likes change. But often, change can be just what we need to make the adjustments we need to grow as individuals and companies. GDPR presented – and continues to present – this opportunity to all of us. All the data being generated by all the devices we use, in tandem with technology that can use that data to create actionable responses, leads us down a path of unprecedented possibilities. Those who adapt to these changes thoughtfully and rapidly will have an edge on their competition side-by-side with greater trust by their users.