Tim Walters

Jan 15, 2018

GDPR: A Nightmare for CIO/CDOs – Or a Dream Come True?

If you’re responsible for information, data, or digital strategy and your firm has any business in the EU, the GDPR should be keeping you up at night – and stalking your dreams when you slumber. With the May 25, 2018 enforcement data looming, it may be time for companies without well-advanced preparations to enter panic-stricken fire drill mode.  

Still, maybe you’re resting easy. After all, the thing is called the General Data Protection Regulation – and your firm employs security pros for data protection and a binder full of lawyers for regulatory issues. What’s it got to do with digital strategy and engagement?

A Nightmarish Disruption to Business As Usual

Well, plenty. While it’s normally a very bad idea to poke a hibernating bear with a sharp stick, let’s take a look at some of the bedtime stories that might be helping you sleep – and delaying a proper response.  

  • It’s just another burdensome compliance layer.

As a CIO or CDO, you probably don’t worry too much as Sarbanes Oxley, or the payment card industry data security standards (PCI-DSS) – and you shouldn’t. But, despite its name, the GDPR is nothing like those kind of compliance requirements.  Instead of an isolated issue concerning financial reporting or electronic payments, the GDPR addresses every single use of the personal data of EU residents – and thus cuts to the very core of today’s digital business operations.

  • The Privacy Shield will protect US firms.

Edward Snowden’s 2012 revelations about pervasive government snooping and surveillance further exacerbated long-standing EU concerns about transfers of personal data to the US. The Privacy Shield framework (PSF) is intended to allow US firms to “self-certify” that they provide an adequate level of protection for the personal data of EU residents. But it is dangerously misleading to believe that PSF certification will “exempt” firms from the GDPR. In fact, international data transfers are addressed in less than 10% of the regulation (seven out of 99 Articles). Whatever the fate of the Privacy Shield – it is under review at the European Court of Justice and increasingly threatened by the current hardline US administration – US companies still have to meet all of the other data processing principles and new data subject rights spelled out in the GDPR.

  • It’s all about revising our privacy policy and terms and conditions.

This fairy tale has a nugget of truth. The GDPR requires that consent requests and notifications must be “clearly distinguishable from other matters” and presented “in an intelligible and easily accessible form, using clear and plain language.” That’s in direct contrast with the established habit of burying the privacy policy in long, opaque, and hidden T&Cs that are designed to discourage reading, let alone comprehension. (PayPal’s T&Cs are – or at least were – longer than Shakespeare’s Hamlet.) But beyond putting marketers and CX experts in charge of writing consent requests (as I argued at BloomReach’s recent Connect event in Amsterdam), firms will also have to practice “data protection by design and default” (DPbD) Practically, this means that every business process that in any way touches EU personal data must have privacy and data protection “baked in” from the very beginning – literally from the moment a marker first touches a whiteboard in a digital strategy or customer engagement brainstorming session. Moreover, demonstrating the commitment to DPbD entails embracing the “processing principles” of Article 5, which include the requirement for “data minimization” – using the smallest possible amount of data for the shortest possible time and deleting it as soon as possible afterwards. That is, to say that least, out of sync with today’s digital “best practices” that encourage firms to collect as much data as they can and reuse it without limit.

 

A Dream Realized (At Last)

But wait . . . putting customers at the center of your business? That sounds very much like the elusive goal pursued by most business for the last decade, celebrated by Forrester as the “outside-in” approach that is a prerequisite in an environment where the quality of the customer experiences you offer matter far more than the features of your product.

But a funny thing happened on the way to the customer experience revolution. Namely, it didn’t happen. Accenture’s 2017 Global Consumer Pulse Research again confirms what their annual surveys – and other key sources like Forrester’s CX Index – have documented for years: despite all of the time, effort, and budget expended on improved CX, consumers are less satisfied with the experiences they are offered.

Indeed, Accenture diagnoses a “vicious circle.” Consumers expect and demand ever more personalized and relevant experiences but at the same time they are anxious and concerned about how their data is collected, used, and shared. (And, we could add, they are ever more willing to act on their concern by deploying ad- and tracking-blockers, activating advanced privacy settings in browsers, and providing fake information in online forms.)

In other words, there is a gap – if not a yawning abyss – between the qualities consumers desire in their interactions with sellers (e.g., a sense that they are known, recognized, and valued) and the way sellers have developed to deliver those qualities (e.g., rampant data collection, aggregation, and tracking).

By insisting that consumers should be in control of their own data – that is, by effectively making customer-centricity a legal requirement – the GDPR breaks the vicious circle, interrupts the dogmatic slumber of so-far ineffective customer experience management, and opens a new path that can allow sellers and buyers to build trust-based, mutually beneficial relationships. That’s a journey that can’t seriously get started without the leadership of CIOs and CDOs.

 

1The final text of the GDPR is available in English and 23 other languages at http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=consil:ST_5419_2016_INIT. On the conditions for consent, see Article 7 and Recital 32.

2GDPR, Article 25 and Recital 78. The practice is better known as privacy by design.

Watch On-Demand Webinar

How GDPR will Change the Dynamics of Customer Experience

Watch the Webinar