There were already a number of data protection regulations around the world when the General Data Protection Regulation (GDPR) took effect in May 2018 and dramatically changed the privacy landscape. The sense of urgency dramatically escalated, and the consequences for getting it wrong had some real teeth. Many focused on the penalties; fines and sanctions were a threat, and the potential for lawsuits was an even greater threat. But the longer-term impact to brand and market credibility, while less clear, was perhaps even more powerful.
Other countries and jurisdictions followed the European Union (EU) with their own privacy requirements and initiatives, including the Australian Privacy Principles (APP); the California Consumer Privacy Act of 2018 (CCPA) in the United States; General Data Protection law (LGPD) in Brazil; Protection of Personal Information (POPI) in South Africa; Personal Data Protection Bill (PDPB) in India, and dozens more worldwide. Each has a slightly unique take on privacy, different requirements and diverse penalties. The Personal Data Protection Law (KVKK) in Turkey has perhaps the harshest set of penalties for violating citizen trust: IT practitioners found to be at fault there can go to jail. It was because of this mushroom effect and the weight of associated penalties that many IT executives originally focused on the negative.
In the months leading up to GDPR, I spent much of my time on the road in Europe (and beyond) visiting with chief information security officers and chief information officers, and I found that the downside of privacy regulation was often front and center. Why do we have to comply with yet another set of requirements with roughly the same limited budget? was the general sentiment early on. To be sure, what makes protecting customer privacy so complicated is that it is both a broad and deep problem. The information in scope often resides in many distinct data silos, in different systems and formats, and often is written in different languages. Further, data controllers or processors may be managing billions of data objects, and they must identify and take action on the right information in a number of ways — e.g., protect against breaches (and notify authorities if a breach occurs), encrypt, redact, quarantine and govern information throughout its life cycle.
As conversations shifted from Where is the data? and How do I interpret the regulations? to defining and working on real-life solutions, I was pleasantly surprised to see IT executive sentiment shift as well. It was at this point that I started to hear the word catalyst used often — as in, GDPR is actually a catalyst for doing some of the things we should have been doing in the first place. In other words, while the regulations were holding IT executives’ feet to the fire on protecting information, the regs were also forcing those execs to break down data silos and provide the framework necessary to derive insight from the information at hand with advanced analytics — as appropriate under the regulations, of course.
Armed with this new information and insights that could be surfaced to the C-suite, innovative organizations can now learn more about their customers and emerging business models, plan a course of action to capture added value as variables change and market inefficiencies appear, and identify underfunded parts of the business and/or marketing programs. Moreover, they can streamline processes and better manage costs by learning more about what caused inefficiencies in the enterprise. By taking advantage of the technology and processes mandated by regulators, organizations can exploit hidden opportunities and insights that reside in their data to grow the business.