Embrace GDPR to remain competitive, says OWI

In instituting the General Data Protection Regulation (GDPR), the EU is at the vanguard of a broader worldwide trend towards building consumer-centric data protection regimes, according to a One World Identity (OWI) report.

“GDPR was designed not just to shield the identity data of EU citizens from misuse, but deliberately to “set the global standard” for how personal information is protected,” according to a “survivor’s guide” published by OWI, a US-based identity research and strategy company focused on cyber security, digital commerce, and risk management.

According to OWI, the GDPR will have an effect on all companies that collect user data, making the need for clarity crucial in the days and weeks to come. The guide, the company said, is aimed at providing a strong understanding of the changes that GDPR brings and gives companies the concrete steps required to turn compliance into a competitive advantage.

Regulatory bodies and enterprises both within the EU and abroad are already revising their policies in light of the GDPR, the report notes, adding that all companies should follow suit to remain relevant in the digital economy, even if they are not legally bound by GDPR.

“Ultimately GDPR standards can make your business more competitive. We see this regulation as a harbinger of things to come in the modern personal data economy, where privacy is not dead and good data stewardship is a revenue-generating differentiator for digital businesses. The principles GDPR sets forth lay a solid foundation for digital identity creation and use across industries,” the guide said.

According to OWI, multinationals are already shifting their strategies to get in line with the regulation’s principles, and planning how best to navigate the international legal grounds for enforcement, but the guide notes that “some organisations are even cutting off EU-based customers entirely to avoid stepping afoul of GDPR – a choice we believe to be unsustainable and costly in the long run”.

The new principles and data subject rights established under GDPR are wide-ranging, but the guide warns that their true scope will not be clear until the first rounds of sanctions for non-compliance are levied after the compliance deadline of 25 May 2018.

Early indications from regulators, the guide said, indicate that their strategy for encouraging compliance is about more than simply making an example of violators.  

“In the UK, we’re very clear that the enforcement, especially early, will be done sensitively and proportionately for smaller organisations,” Matt Hancock, UK Secretary for digital, culture, media and sport is quoted as saying. France’s enforcement body is also focusing on ensuring companies embrace the core GDPR principles, the guide said.

While stating that the GDPR does not have to be “terrifying”, organisations should take it seriously because it will have a “huge impact” on how digital identities are created, processed, and now deleted for the companies it governs, the guide said.

“Beyond that, however, GDPR will raise the bar for data protection worldwide, even where the regulation doesn’t actively apply,” the guide said, noting that countries like Japan, Israel, New Zealand, Argentina, and South Korea are bolstering their own regulations in order to be recognised by the EU Commission’s “white list” for personal data transfers and maintain priority access to trade deals with the EU bloc.