The optimistic business developer’s guide to the GDPR

On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) will go into effect. In its own words, its goal is “to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.” No matter how you feel about the legislation, the fact of the matter is that it’s coming, and organizations worldwide will feel its impact. It will fundamentally change the way companies approach and handle consumer data.

Much has been written about the ramifications of this legislation, and the consensus seems to be that organizations are scrambling. The majority of companies feel inadequately prepared to comply with the upcoming legislation. For example, a recent survey conducted by Varonis of 500 key IT decision makers in the UK, Germany, France and the US indicated that 75% believe they will struggle to meet the deadline. A similar study by the DMA of UK-based businesses revealed that nearly half of them felt they wouldn’t be ready to meet next year’s deadline.

Dude, where’s our data?

One of the common themes revealed in the surveys that have been conducted regarding GDPR-preparedness is that many organizations simply don’t know where their data is today and who has access to it. In fact, in a 2017 Varonis Data Risk Report, 47% of organizations surveyed had 1,000 or more sensitive files accessible to every employee in the organization. According to a survey published in Yahoo! Finance, 15% of German organizations admitted they don’t know where all their customer data is stored; in the UK, 12% of organizations are in the dark and in France the number climbs to 20% of all organizations that are in serious doubt about where all this data has been placed. All this points to a need for companies to rethink the way they collect and handle data, and sooner rather than later.

Carpe diem, businesses!

As opposed to joining the collective hand-wringing and fretting over compliance and the cost of doing so, we would like to issue a call to arms. Here at wwwave, we think GDPR represents a tremendous opportunity for companies to change the way they do business.

What has us excited?

Well the concept of data portability for starters. One of the key rights we advocate for is consumers being able to use their data for their own benefit; to know what information companies are gathering about them and be able to have a say in how this data is being used. With data portability being one of the central tenets in the GDPR legislation, consumers have “the right to receive the personal data concerning them”. We know of quite a few startups and IT companies with interesting ideas of ways to give consumers access to the data that’s being collected about them online. Companies like digi.me are working on apps that enable consumers to own their personal data and decide for themselves how much of it they want to share with companies. In their own words, digi.me’s business model involves “taking cents per transaction from businesses when individuals agree to share their data with companies under our consent access process.”

Their aim is to develop a personal data platform, where third-party apps can work directly with individuals sharing their data in exchange for fully personalized services, with consent being a built-in part of the business model.

People.io, another tech company dedicated to giving people ownership of their data, is partnering with telecom companies to give consumers control over the data gathered in their apps.

Suddenly, the market potential for these applications has grown exponentially. We’re very interested in seeing how other companies can use GDPR requirements as a catalyst for innovation.

It’ll be like Disney World for system designers

The other area we’ve flagged as what basically amounts to an open invitation to developers everywhere is the soon-to-be legally required “privacy by design”. Under the new regulations, data protection must become a fundamental part of the way we design business systems and applications, not something that is shoehorned in or included as an afterthought. This opens a brave new world for system developers everywhere to rise and develop exciting alternatives to existing CRM systems that include built-in measures that provide transparency and data protection. Doing so will address one of the most commonly expressed concerns companies have in the wake of this new legislation: how will we be able to offer our customers relevant products without being able to collect their data? The answer will be by finding new ways of interacting and engaging with your customers that are based on mutual consent.

For example, Dattaca Labs fosters a developer network to help large businesses and growing startups design and build their own tailored applications that leverage personal data consensually to provide better services to their customers. New York-based startup, Datacoup, is establishing a marketplace that lets customers sell their data to companies. Their service gives consumers an overview of the data being collected about them, and in exchange, companies get data that they know is accurate. This is eCommerce in a post-GDPR world.

Time to let the consumer in

The best way to be prepared is to be proactive. As private individuals, we want to access content, products and services that are relevant for us. This makes our lives easier and helps us to wade through the massive amount of information that exists in cyberspace. So, as consumers, we’re not fundamentally opposed to companies using our information to direct us to the products and services that best meet our needs. Yet if companies want access to our information, they need to be open about what they’re gathering and how they’re using and sharing it. It all boils down to trust. And trust, as we all know, goes both ways.

How can you use the next 300 days most effectively? By working with your customers to come up with an information sharing model that respects their data and gives you the information you need to help them.

Other details that caught our eye

- Goodbye to consent by default: the GDPR will make pre-checked, blanket consents a thing of the past.

- The long arm of the law: The GDPR isn’t limited to companies operating within the borders of the European Union. It applies to any business, anywhere on the planet, that gathers personal data of EU citizens.

- Calling all recruiters: The GDPR also requires companies to appoint a Data Protection Officer. However, companies should avoid the pitfall of thinking this new Officer will be the sole guardian of customer privacy protection. To operate successfully in a post-GDPR world, companies need to make digital data policies a core part of their customer relationship strategy.