Nelos - Fotolia

Why GDPR is so relevant to the business

The GDPR is not only relevant to CISOs and DPOs, and has a massive impact on businesses

The EU General Data Protection Regulation (GDPR) has a huge impact on businesses, particularly due to the new consent rules. Instead of a fuzzy consent, given once in the form of: “This site uses cookies. If you continue using the site, you accept that we collect all data we can and do whatever we want to with the information,” the GDPR mandates consent per purpose.

It must also be informed, unambiguous and freely given. This also means that any new purpose of using data requires additional explicit, informed, and unambiguous consent. And that consent can be revoked at any time.

This is the reason why the EU GDPR is first and foremost a business challenge. Not primarily an IT challenge, not an IT security challenge, nor a data protection challenge. For sure, it is a challenge for CIOs, chief information security officers, and data protection officers. No doubt, there are a lot of complex challenges to solve. But the main challenge is about the impact on the customer relationship.

In a recent KuppingerCole survey, 73.5% of the respondents defined improved customer relationships and interaction as the main target of a company’s digital transformation strategy.

Let’s look at three scenarios:

  1. Customers who register for a service for the first time and are asked to give their consent.
  2. Customers who are already registered for a service and must give their consent before the GDPR becomes effective.
  3. Adding a new purpose to a service that requires asking customers for additional consent.

Due to the consent requirements, case number one will become more complex than today. Customers will better understand what personally identifiable information (PII) a service collects and what the service does with that data. They will be enabled to make informed decisions on whether to use the service at all and whether they give consent to all purposes.

Read more about consumer identity

Obviously, the purposes that are more interesting to the customer are more likely to be accepted, while the ones that bring money to the service provider (such as selling data for targeted advertising) are less likely to become accepted. Clearly, many customers will just accept, but others will not.

So, what about scenario number two? While many people believe that this is straightforward and anyone will accept anyway, I doubt it. A significant portion of the consumers of the service will review and (rarely) leave or (more often) revoke consent at least for some of the purposes. They also might accept at first and later on come back and revoke some or all consent.

The third scenario is, from my point of view, the most challenging one. Data has been collected and now the service provider asks for consent for a new purpose. The obvious question from the customers will be “what’s in for me?”. If that is crystal clear, fine.

If not, if only the service provider benefits (“I want to sell your data to someone else...”), it will be far less likely that consent is granted. In such scenarios, service providers will have to identify a benefit and demonstrate to their customers that this is a balanced deal. There will be a price to pay for consent. Monetising data will become more expensive – sometimes even uneconomic.

Read more about GDPR

In essence, it will become far more important to demonstrate the value of a certain consent to the customer than before. If the value is limited for the customer, it then becomes necessary to persuade the customer in some other ways that it is good for him to give his consent.

But the balance between customers and business will change. That must be understood, and businesses must find an answer to that challenge by providing better service while collecting less data; by innovative ideas on how to persuade their customers (I just recently was asked to participate in a lottery with really cool prizes for giving consent to marketing spam); or even by changing the business model, e.g. from services paid by PII to services paid by money.

Given that GDPR has a direct impact on the customer relationship and even the business model, all businesses that are affected by the EU GDPR must make this a C-level topic now. It is a challenge, but also an opportunity for better customer relations than ever before – if businesses do it right.

Read more on Privacy and data protection