GDPR – An Executive-Level Decision
GDPR is Already in Full Effect
As of May 25 2018, GDPR is in effect, making any company processing and / or controlling personal data belonging to EU residents, liable for protecting the rights to privacy of those people.
Although the GDPR refers only to the personal data of EU residents, it sets a standard for individual private data protection by companies all over the world regardless of company origin or individual residency.
Already, we can see the internet and data-collecting companies divide into two groups:
The first group is companies who will do anything in their power to avoid complying with the GDPR. Some measures include blocking website traffic originating from the EU, moving personal data from servers located in the EU and more.
The second group is companies who adopt the GDPR, showing great care for human privacy rights.
An Executive-Level Decision
This decision doesn’t belong to your CIO or CISO alone. This decision will influence the company business, brand and major processes. This decision doesn’t only affect company strategy but also the way company employees, customers, vendors and the company itself treat privacy rights of individuals.
Surveys show that about 33% of companies are GDPR-compliant and the rest are either on the way to compliance or still debating on whether to get onboard or try and avoid the GDPR altogether.
While completely shunning the company’s EU-client base, a decision to avoid GDPR-compliance can mean saving resources and significant change within the company. For small startups GDPR compliance might not seem like a huge deal but for SME’s this is no easy feat. There is a lot of documentation involved, employee training, changes to internal processes, reporting liabilities, personnel and more. Although it seems like an IT issue or cyber security issue, GDPR compliance is a venture involving all facets of the company.
Attractive as this option may seem, GDPR may not be easily avoided if possible. One issue is that moving data outside of the EU requires adherence to EU data transfer regulations. Another issue is that GDPR can also be applied to past practices which means that personal information must be protected as described in the GDPR regardless of the time of collection.
Other drastic steps as taken by Facebook include dividing its datastores to EU and non-EU residents. This means that EU residents will enjoy a seemingly higher level of personal protection while other users’ data will still be a commodity with disregard to personal rights.
On the other hand, while a costly process, GDPR compliance, whether mandatory or voluntary, sends a clear message that your company has its clients’ privacy high on its priority list. This message is sent to individual customers, employees, clients, vendors, authorities and the business environment.
This message and general approach significantly add to the company perceived branding and trustworthiness.
After all, the message is that you’re treating all customers with the highest level of privacy regardless of origin.
Make it Count
Boards and Managements across the globe have already decided to comply with the GDPR even when and where they weren’t compelled to do so.
Even Microsoft has announced it will extend GDPR compliance and privacy measures to all its customers across the globe. This move increases Microsoft’s brand as opposed to Facebook’s move to discriminate customers by origin. Displaying Microsoft as adopting high standards for its customers while Facebook is now depicted as a shady merchant of human private data.
When making the choice, be informed about your options and consider the opportunities and risk emanating from the decision. Make this decision a strategic one.