The discussion on data privacy is not new, despite the recent attention it has received due to the General Data Protection Regulation (GDPR) becoming effective as of May 25, 2018. Technology has always driven discussions around privacy – from the invention of written language, continuing through to the invention of the telephone, radio, television, and other modern forms of communication. Each previous generation has faced the unique challenge of balancing the conveniences of technology with their right to maintain privacy.
We now face a unique dilemma. The argument can be made that our society has never been better connected. According to Gartner, 2017 was the first year in history where the number of Internet Connected Devices outnumbered the number of human beings on the planet. By 2020, it is predicted that there will be over 20 billion devices connected to the Internet. That is a staggering amount of technology that is constantly using and sharing data, most of which is created and curated by individuals.[i]
However, with this connection comes risk. Data and Personally Identifiable Information (PII) have become hot commodities for Cyber Criminals. Indeed, Cyber Crime damage costs are expected to reach $6 trillion dollars annually by 2021. On top of this, organizations will have to deal with rising security and training costs to help keep the PII they collect safe. Additionally, attacks on individuals are expected to climb to over 6 billion per year by 2022. What this means is that your PII, and the data you share online are now the most targeted item during a Cyber Security incident.[ii]
This is where GDPR steps in. Building off of the European Union’s Data Protection Directive of 1995, GDPR seeks to change the fundamental conversation businesses and individuals have around their data, and the proper use of it. GDPR takes the viewpoint that Data Privacy is a fundamental human right, and businesses who collect, process, and store data must take certain steps to make sure that their end user’s PII is protected and used appropriately. By moving from an “opt out” to an “opt in” society, users now have better control over who is accessing, using, and sharing their data.
Businesses that are subject to GDPR, namely organizations which collect or process European citizen data, must now meet certain mandates or be vulnerable to significant fines and reputational harm. GDPR has the ability to fine an organization up to 20 million Euros or 4% of the organization’s global revenue, whichever is larger, should they be found to be in violation of any number of the articles of GDPR.[iii] For instance, a large US-based retailer would stand to lose 19 billion dollars under the current GDPR directive, not to mention the potential loss of millions of customers. Whereas in the past, organizations have paid hefty fines in the form of reputational harm and data remediation costs, this is perhaps the first time that a global initiative has levied such strict penalties. This will change the conversation in almost every major industrial vertical about how and why they are collecting PII. Companies like Google, Facebook, and other platforms that derive revenue from collecting, processing, and potentially monetizing our PII will have to address the ways in which they can do that while remaining compliant.
Critics of GDPR have said that the loss of data collection and obstructed use will likely lead to a rise in the cost of services which have traditionally been known as “free.” The counter-argument is that without agreed upon data privacy strategies, organizations will be spending more in remediation for each data breach, as well as losing more in reputational value. Facebook lost an estimated $80-$100 billion dollars of market valuation in the wake of the Cambridge Analytica scandal. While GDPR does impose fines, the additional potential lost revenue comes from users abandoning your brand could be much more significant. With that in mind, GDPR can actually help organizations avoid these mistakes by giving them an understandable path to protecting their users PII.[iv]
We are living in an era where data is king. Businesses are doing everything they can to collect and understand every corner of data while we, as end users, have become accustomed to this, briefly skimming or fully ignoring (i.e., mindlessly approving) the terms and conditions of every service we use, enjoying the absolute convenience that comes from our favorite businesses knowing more about us than we know about ourselves. However, with real power comes real responsibility. Organizations are now understanding how valuable our data is, both for the revenue it creates, and also the risk it poses to their business sustainability. GDPR is guiding the entire world in the best practices for keeping our information safe and secure and allowing organizations the framework for avoiding damaging data breaches while keeping their consumer base secure and loyal.
Critics may point to rising costs from organizations adjusting their best practices, and while data is a commodity, it is also a much larger risk. By managing this risk and engaging with GDPR legislation, organizations of all sizes and shapes can avoid costly missteps, increase customer satisfaction, and steer clear of the negative impact of being involved in an incident where PII is compromised. By changing the conversation about the fundamental right we have to privacy, the GDPR – and other legislation that will hopefully follow – has paved the way for the next evolution in best business practices and security. Gone are the days when being connected was a privilege. We must view the connected society as a right, and with that, the protection of our data and information is paramount.