If you run a technology company that operates in the European market, then by now you’ve certainly heard of the General Data Protection Regulation (‘GDPR’). A bogey man, set to explode on the horizon causing all manner of operational distraction and expense in May of 2018. The latest in a series of regulatory encroachments designed by folks that do not understand how technology works. Crusty folks that seek to raise the cost of doing business and to push the market back 20 years.
We are besieged.
We’ve always ‘taken privacy seriously.’ We have privacy statements. We might even have privacy staff. Our practices are in line with our peers. In any event, our legal expenses, which are always soaring, suggest that we’re investing seriously in meeting our legal obligations around the world.
What else can they ask of us?
Let’s take a step back.
Technology companies are moving incredibly fast. We are focused principally on building differentiated product and distributing this product across the market. We want to scale. We want to take and defend market share, wherever we operate.
We want to do the right thing as well. And being respectful of privacy is part of that mix.
But how big a part of the mix is it really?
How much are we investing in operational processes to ensure that privacy is a stakeholder in product, client, and partnership decisions?
When privacy is a stakeholder, are we relying on a gut sense from untrained staff, without a real owner?
Would we entrust any other strategic decision of consequence to the free flowing, adhoc, undocumented procedures that often characterize privacy process at technology firms?
At it’s core, GDPR challenges technology companies to live up to the lip service they have been giving privacy for years by mandating demonstrable accountability. This is a cultural revolution for many.
The European Commission wants companies to drop stale notions of privacy as a legal compliance checkbox. Business requirements and innovation opportunities will require firms to think seriously about privacy management. It’s no surprise that GDPR is starting to crop up in vendor RFPs and contracts. As grizzled auditors preach — “trust but verify”. This is GDPR in a nutshell.
With less than a year to go, we need to prioritize. GDPR tells us to pay attention to (1) transparency and consent, (2) new and enhanced individual rights, (3) new documentation and risk assessment processes, and (4) new governance and breach notification standards.
Virtually all data has the potential to impact privacy in the contemporary market. With this reality in mind GDPR can be seen as a catalyst for introspection.
A few questions we should be asking ourselves:
- Are we taking the time to think through our legal basis for acquiring and leveraging data? Or are we taking data use for granted, hiding behind our peers and asserting that ‘everyone is doing it’?
- What data are we collecting? Do we know? Does everyone in our company that should know have the same understanding?
- How are we managing exceptions to our ‘typical’ models for collection and use?
- How is our data flowing around the world? Are we managing your legal obligations to track and ensure compliance as data flows across the globe?
- Are we treating disclosures as legal CYA’s, or are we channeling the consumer, providing understandable and detailed information about our data practices?
- How are we managing assessments of the privacy implications of potential data use? Do we have a structured process, with documentation? Do we take the time to build in data protection and privacy impact minimization on a systematic basis?
Most technology companies, upon reflection, have significant operational gaps when assessed against these criteria. When GDPR is distilled into pragmatic language, we can understand it’s point of view as necessary medicine. We can gripe about the level of fining authority and the specifics of how we’ll be assessed against these criteria. But the fundamental priorities of GDPR are difficult to argue.
Privacy is a critical consideration for all data driven businesses.
As such, privacy warrants legitimate investments in process and accountability.
We haven’t always lived up to these standards.
We now have to.
So grab some sugar, if it helps to wash it down. Accept your obligations and build these necessary processes into your organization in good faith. If you approach GDPR compliance as an opportunity to make sure you are doing what you’ve always claimed to do, you can maximize the value of these compliance steps, rather than viewing each step as cost and distraction.
The best companies are leaning into GDPR, understanding that they are ultimately aligned with the EU Commission’s view of responsible data stewardship.
Don’t get trapped in the echo chamber of kvetching tech execs. You’re going to need to come into compliance. You may as well use the road to compliance as an opportunity to improve your company. Your clients and customers will thank you.
If you found this piece valuable, please leave us a heart and follow us for ongoing updates. We also welcome discussion — please leave your comments and feedback in a response below!
The Lucid Privacy Group actively manages privacy and data protection strategy and operations for startups and marketing technology companies. We come at the issues with a pro-privacy, product and technology orientation, and can translate arcane legalese into real world, commercial terms. Drop us a line at firstname.lastname@example.org or visit us on the web or Twitter.