Why companies shouldn’t dread the advent of GDPR
The main aim of the General Data Protection Regulation (GDPR) is to make sure that the data of EU citizens is protected, no matter where it’s held.
The regulation, which will apply to companies both in and outside the European Union, goes in effect on May 25, 2018. It requires companies that handle data of EU citizens to protect this data or suffer consequences – most notably, fines that can go up to 4% of a company’s global annual revenue.
But even though the compliance deadline is quickly approaching, companies have been dragging their feet to meet it.
“When it comes to regulation there’s an almost reflexive tendency of large enterprises to either wait for things to ‘shake out’ and/or to try to negotiate some of the regulation after introduction. Also, when the regulation is perceived to be particularly difficult, there’s almost a disbelief that it will actually remain in effect,” notes Ken Krupa, CTO of MarkLogic, a US-based vendor whose NoSQL database is used by Deutsche Bank, DHL, Raytheon, Dow Jones, and many other business and U.S. government entities.
GDPR is an opportunity to innovate
GDPR certainly fits the category of seemingly “difficult” regulation, but it also falls into the category of having an innovative alter-ego that should be exploited by forward-thinking enterprises.
“The level of operational data agility – particularly around data security, data privacy and data governance – that is required to handle GDPR is one that, if achieved, may be exploited to great competitive advantage,” he says.
“The ability to act on stated or implied customer preference in real time – be it privacy related or not – is the foundational holy grail for nearly every customer 360 initiative one may think of. So forward-thinking executives should ask themselves, why not exploit the mandate of GDPR to do something truly innovative with your customer data?”
GDPR could also end up influencing data protection laws in other countries.
“Large organizations are multi-national and hence multi-jurisdictional by extension. Today’s enterprise data strategies have to account for a multi-jurisdictional view of the world already so data protection requirements in the US will be affected by GDPR by extension,” Krupa notes.
“Whether or not GDPR directly affects US legislation might be up for debate, however I believe the answer won’t be the deciding factor in the end. Now that there’s a major (western) regional regulation coming into place, the US will be impacted at least indirectly by forcing the process onto multi-nationals. Privacy leaks and the litigation that will invariably follow will take care of any other laggards.”
A challenge for Chief Data Officers
From the individual’s perspective, GDPR is great.
“As an individual with personal data to protect, I like the idea of having a legal framework on my side should I need it (though as an American, gaining any personal benefit from GDPR may be indirect, if any),” Krupa notes.
“At the same time, if I put myself in the shoes of a Chief Data Officer, I have to be worried about the impact of effectively giving individual regulatory rights to millions of people.”
Part of the reason is that enterprises are trained to handle privacy and regulation in very methodical ways that aren’t very agile.
“What it means is that things won’t be easy for entrenched thinkers, however those that approach data security and data governance as intrinsically data-centric activities as opposed to a process overlays, will reap benefits beyond meeting regulatory requirements. It’s why at MarkLogic, we spend a lot of time on operationalizing security and governance inside the database where it’s most effective,” he concluded.