Months after three Amazon execs say they were forced out for raising concerns surrounding data privacy policies within the global e-commerce behemoth, Amazon is facing a massive potential GDPR fine, to the tune of $425 million.
It’s been two years since the European Union (EU) introduced the General Data Protection Regulation (GDPR), and it’s been a boon for tech companies who are working to assist with compliance.
Businesses around the globe have invested resources worth billions of dollars into preparation for GDPR, and with the regulation now in enforcement, the results of these efforts are being put to the test.
Show me the money: GDPR has potential to draw massive fines
While the legislation is a powerful statement on the privacy rights of citizens, it’s the risk of monetary and legal noncompliance penalties that have earned the most attention. Any EU data subject can lodge a complaint against a business to their Data Protection Authority (DPA) under the GDPR, and the authority must handle every complaint.
Should the DPA find violations and the business fails to respond appropriately, there is a risk of fines worth millions – maybe even billions – of euros, class action lawsuits, and data processing freezes.
Clearly, avoiding penalties and achieving compliance are two important goals of any successful GDPR readiness program. But there’s another goal that’s even more significant: Earning consumer trust.
Earning trust: Is GDPR Sarbanes-Oxley for tech?
During the banking crises of 2002, an act called Sarbanes Oxley (SOX) was passed as a reaction to fraudulent accounting practices by Enron and Worldcom. This is a Sarbanes-Oxley moment, but people aren’t thinking about it yet.
Requiring a complete rethinking of the financial services industry and threatening criminal liability to executives of businesses that didn’t comply, SOX was passed into United States law in 2002.
I see striking similarities between that regulation and GDPR: Both protections seek to enhance transparency as a means to curb poor business practices and build trust.
SOX legislation sought to restore investor confidence and combat corporate fraud by making financial reporting more concrete and transparent.
GDPR seeks to restore consumer trust and combat dishonest data management practices by requiring businesses to be more transparent about the personal data they collect, and to give customers more visibility and control of their personal data.
Data compliance encompasses the standards and regulations in place to ensure data is secure, protected from data theft, misuse, and loss. Here's a primer on getting started.
Global economy means global responsibility
Initially, businesses outside the U.S. believed SOX didn’t apply to them, but soon realized they needed to comply if doing any business in the U.S. The same situation is unfolding with GDPR.
Many businesses are wrongly assuming that it only applies to European companies, not realizing that they’re also beholden to the regulation because they serve customers in the EU. Both of these “regional” regulations, then, have global impacts.
Each act created a need for holistic solutions that span the entire organization to solve for them. For SOX, this was because mergers and acquisitions had made transparent financial reporting unreasonably difficult.
For GDPR, the need was spurred by years of customer data being stored in legacy systems and processed by disparate and unsecure third-party point solutions across brands and markets.
Both regulations put the onus on businesses to unravel complex webs of siloed information or pay a heavy price for inaction.
SOX experienced strong pushback from some companies, while others implemented compliance initiatives, thereby developing better information about company operations to make better decisions. These proactive businesses standardized key financial processes, streamlined controls, and used the law as a template for compliance with other financial reporting statutes and regulations.
And, like the reaction to SOX, many companies are now using GDPR compliance initiatives as an opportunity to gain a competitive advantage.
Forward-thinking organizations are developing holistic, enterprise-wide solutions, placing their customers’ personal data at the center of their digital strategy, rather than the outskirts. They’re also viewing GDPR compliance as a template to drive responsible innovation in an evolving regulatory landscape.
If you think that GDPR won't affect your organization, chances are, you're incredibly wrong.
A sea of change
The takeaway here is that automation is vital. Companies that tried to deal with SOX manually were overwhelmed by the volume, eventually adopting automated solutions, or outsourcing the work to third-party automated solution providers.
For GDPR, the need to employ automated solutions for managing customers’ profile, preference, and consent data is equally important. Addressing this task manually will inevitably lead to heightened risk and degraded customer experiences.
What does the future hold for GDPR, and what kind of debates can we expect about it going forward? Much like SOX in its day, analysts expect that the true effects of GDPR will be settled in the courts.
Fines will be challenged. Class action lawsuits will be won, settled, or lost. If the regulation proves to be too stringent, or the political climate shifts, we may see pushback similar to what we saw with Sarbanes-Oxley.
Despite this uncertainty, it’s important to recognize the underlying trigger point for GDPR: Consumers demand trusted digital interactions.
By implementing a strategy to address this, businesses can:
- Gain competitive advantage through the power of consumer trust
- Mitigate the risk for GDPR-related fines, lawsuits, and brand reputation damage
- Adapt to an evolving consumer data privacy landscape as more regional regulations emerge
GDPR represents a sea change for business. After two years in the making, we will see – in real-time – how regulators exercise their new powers, and how consumers react to their expanded rights.
While no one can see the future, the past offers insight into how businesses should react to GDPR: Directly address the trigger point of waning consumer trust to comply with the new regulation and take the business to the next level.