SBphotos - stock.adobe.com
In instituting the General Data Protection Regulation (GDPR), the EU is at the vanguard of a broader worldwide trend towards building consumer-centric data protection regimes, according to a One World Identity (OWI) report.
“GDPR was designed not just to shield the identity data of EU citizens from misuse, but deliberately to “set the global standard” for how personal information is protected,” according to a “survivor’s guide” published by OWI, a US-based identity research and strategy company focused on cyber security, digital commerce, and risk management.
According to OWI, the GDPR will have an effect on all companies that collect user data, making the need for clarity crucial in the days and weeks to come. The guide, the company said, is aimed at providing a strong understanding of the changes that GDPR brings and gives companies the concrete steps required to turn compliance into a competitive advantage.
Regulatory bodies and enterprises both within the EU and abroad are already revising their policies in light of the GDPR, the report notes, adding that all companies should follow suit to remain relevant in the digital economy, even if they are not legally bound by GDPR.
“Ultimately GDPR standards can make your business more competitive. We see this regulation as a harbinger of things to come in the modern personal data economy, where privacy is not dead and good data stewardship is a revenue-generating differentiator for digital businesses. The principles GDPR sets forth lay a solid foundation for digital identity creation and use across industries,” the guide said.
According to OWI, multinationals are already shifting their strategies to get in line with the regulation’s principles, and planning how best to navigate the international legal grounds for enforcement, but the guide notes that “some organisations are even cutting off EU-based customers entirely to avoid stepping afoul of GDPR – a choice we believe to be unsustainable and costly in the long run”.
The new principles and data subject rights established under GDPR are wide-ranging, but the guide warns that their true scope will not be clear until the first rounds of sanctions for non-compliance are levied after the compliance deadline of 25 May 2018.
Read more about GDPR
- Financial sector cyber-related laws are a bellwether, says Deloitte.
- UK surveillance laws a potential ‘sticking point’ post-Brexit.
- The GDPR audit power is being outpaced by technological advances in data analytics, says ICO.
- The ICO is playing a full role in EU institutions, and is ‘fully immersed’ in creating guidance for the GDPR, says Elizabeth Denham.
- GDPR focus shifts from the sanctions to the benefits.
Early indications from regulators, the guide said, indicate that their strategy for encouraging compliance is about more than simply making an example of violators.
“In the UK, we’re very clear that the enforcement, especially early, will be done sensitively and proportionately for smaller organisations,” Matt Hancock, UK Secretary for digital, culture, media and sport is quoted as saying. France’s enforcement body is also focusing on ensuring companies embrace the core GDPR principles, the guide said.
While stating that the GDPR does not have to be “terrifying”, organisations should take it seriously because it will have a “huge impact” on how digital identities are created, processed, and now deleted for the companies it governs, the guide said.
“Beyond that, however, GDPR will raise the bar for data protection worldwide, even where the regulation doesn’t actively apply,” the guide said, noting that countries like Japan, Israel, New Zealand, Argentina, and South Korea are bolstering their own regulations in order to be recognised by the EU Commission’s “white list” for personal data transfers and maintain priority access to trade deals with the EU bloc.
Universal application of GDPR
In the US, the guide notes that Facebook CEO Mark Zuckerberg’s recent congressional testimony brought the debate about universal application of GDPR principles into the public consciousness.
In a digital economy reeling from billion-user breaches of sensitive data, the guide said a new generation of more educated consumers will continue to demand stricter privacy protections, and organisations that embrace the GDPR will provide a competitive edge in the post-GDPR personal data economy.
“Even if a company is not currently governed by GDPR, raising the bar for accuracy in line with the regulation’s principles could have a tangible impact on their bottom line,” said Kaelyn Lowmaster, principal analyst at OWI and author of the guide.
“Many organisations have adopted a 'shoot first, ask questions later' approach: collecting high volumes of data under ambiguous terms of service, then looking for ways to leverage it to improve their businesses afterward.
“Under GDPR, this approach is no longer legal. No matter how advanced your company’s tech, you can’t rely on algorithms alone to evaluate your customers without giving them more information,” she said.