After a year of threats, chest-thumping, webinars and product launches — it is now even outperforming Beyoncé in Google searches — GDPR is at risk of landing with a dull thud.
It takes effect on Friday. That gives the regulators a weekend to relax before they will actually have to do anything.
“We don’t expect to see a whole big change directly, but companies that are respecting GDPR and explaining why will be in a better situation,” says Jonathan Cherki, CEO of ContentSquare, a firm that provides a digital experience platform but does not collect personally identifiable information. It was started in France in 2016, has since entered the U.S. market and says it is ready for GDPR.
What is all the hollering about?
“GDPR is a massive data governance law, a record-keeping law -- a law for the digital age, a law to a create accountability and control as part of the European single market package,” says Sheila Colclasure, global chief data ethics officer and public policy executive for Acxiom, an information provider founded in 1969.
Acxiom began to prepare for GDPR in 2016, and has roughly 20 people working on it all the time, plus a number of others who are involved in different ways. It started with an in-depth analysis of its processes, clients and partners. That done, it began raising awareness — it was so early that some partners had not yet heard of GDPR.
That was a smart move. A new study by CompliancePoint shows that 26% of the U.S. respondents are still not aware of GDPR, and are 44% somewhat familiar with it. Only 24% feel fully prepared, and 31% feel somewhat so. Another 36% are just not ready.
What is holding them up? Of those polled, 45.6% are simply waiting to see what kind of enforcement action ensues. Another 39.7% cite lack of understanding, and 36.8% cite insufficient budget. Another 33.8% specify low brand visibility, and 27.9% say they are unconcerned.
Acxiom and its LiveRamp subsidiary expect to use GDPR "as a catalyst to improve our program and get even better at data governance and record-keeping," Colclasure says.
She adds: “We already have a GDPR-like program everywhere in the world.”
What should govern data decisions? Acxiom seeks to see if information use is legal, just and fair. That means complying with the letter of the law, but also digging in to make sure that no harm will result, for one thing.
How terms like “fair” are defined may differ by country. In China, fairness is “judged not to me the individual but the society,” Colclasure says. “If it is going to benefit society, then the individual will cede their control or their interest in the data solution.”
In the U.S., on the other hand, “we have very demanding digital consumers,” Colclasure continues. “When I took my voice-controlled home agent home, I expected her to find out all my smart devices, and she did not. And I was mad.”
Colclasure admits that “there may be some contractions,” as consumers opt out (or decline to opt in), but that they will remain when they see the “values and benefits that they accrue because of data flows.”
Cherki argues that GDPR compliance could be “a strength and an asset for companies.” On the other side, there is a risk to the brand if they are not.
Should companies observe GDPR even outside Europe? Cherki urges firms to change their processes at one time, even if the law does not require them to be GDPR-compliant in the U.S. He concedes, though, that “it’s easier for large companies to adapt than smaller companies.”
How should companies proceed?
“The best way for companies to minimize risk is to create a subsidiary that handles all European operations,” says Alexander Stern, an attorney and CEO of Attorney IO, LLC. “Have the subsidiary enter into a license with the parent company for the exclusive rights to the European market.”
In addition, “segregate the personal data and hosting into this subsidiary,” Stern continues. "That way, you deflate any penalties based on 'worldwide' revenue." In practice, the subsidiary will only earn revenue in Europe because it will not operate anywhere else.
It’s still not too late to get ready. "GDPR is a big event and it’s going to set the tone for data protection regulation for at least the next 10 years around the world," Colclasure says.
Happy GDPR day.