Doing Business in Times of Heightened Data Privacy Regulation
How the New Legislation on Personal Data Is Changing the Game for Business Leaders
- Data has become one of the most critical assets for businesses… and for consumers.
- From the European Union to the United States and to the People's Republic of China, policymakers worldwide have adopted strict legal frameworks to regulate the way organizations collect and process personal information.
- The new legislation is not only a concern for data scientists or IT Managers. It is, in fact, affecting the full spectrum of business areas and activities across all industries.
We often hear that “Data is the new oil”. Over the past years, businesses and organizations worldwide have grown aware of the value of the data — including consumer data — they control, and they’ve found new ways to exploit and monetize it. This has sparked concerns about misuse of personal data: consumers have become more careful about sharing their data, and policymakers stepped in to implement specific regulation. The various pieces of data privacy legislation that are now enforced around the world are raising new challenges for businesses — but also new opportunities.
The impact of personal data protection laws for firms across all industries should at no cost be underestimated. Hiring a Data Privacy Officer is hardly enough to live up to the challenges. Business leaders actually need to review and possibly adjust a number of their strategies.
Adopted in 2016, the European Union’s General Data Protection Regulation (GDPR) was the first major data protection and privacy regulation. The primary aim of GDPR was to improve individuals' control and rights over their personal information, including over the transfer of personal data outside the European Economic Area.
Designed to be the toughest privacy law worldwide, Europe’s GDPR is based on seven key principles:
- Lawfulness, fairness, and transparency: Processing must be lawful, fair, and transparent to the data subject.
- Purpose limitation: You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
- Data minimization: You should collect and process only as much data as absolutely necessary for the purposes specified.
- Accuracy: You must keep personal data accurate and up to date.
- Storage limitation: You may only store personally identifying data for as long as necessary for the specified purpose.
- Integrity and confidentiality: Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
- Accountability: The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.
The impetus for data privacy and protection has even reached China, which recently approved a Personal Information Protection Law (PIPL) that includes stringent control of cross-border data transfers.
These new legal frameworks are not to be taken lightly, as evidenced by the fines of hundreds of millions that were charged to such companies as Amazon or Facebook over their personal data processing and storage practices.
In a nutshell, virtually all business activities are feeling the impact of the likes of GDPR.
The influence on supply chains cannot be understated, as businesses have to review and possibly adjust data sharing practices with their third-party supplier, subcontractor, and distributor ecosystems.
Innovation and new product development managers need to factor in completely new requirements, or otherwise risk being shunned from some markets. Data privacy laws are actually the reason why Google had to forgo the launch of a selfie app in some American states.
Advertising and marketing activities are obviously impacted by the new necessity to document customer information storage and usage and by the need to allow consumers to opt in or out of data collection and processing. The same challenges apply to any business that sells products, services or content online — at a time where e-commerce and marketing activities are also preparing for the impending elimination of third-party cookies from Web browsers.
Employees need to be educated and trained to embrace new best practices.
And companies that are working in specific lines of business (for example healthcare services providers) are required to comply with industry-specific provisions that enforce even more stringent requirements.
Another significant impact of data privacy regulations for businesses across industries and geographies is increased aversion to technology risk, as data breaches or leaks now come with heftier legal and reputational consequences — on top of the financial and operational harm. Accordingly, technology vendors and consulting firms are increasingly scrutinized for their ability to obtain information security management certifications.
However, data protection regulation doesn’t only raise challenges or issues. It can also be viewed as a new opportunity to re-establish data management and governance practices on sounder foundations. To improve assessment and mitigation of data risk and to optimize IT and data architecture — therefore, creating operational efficiencies and reducing costs.
Finally, compliance with the new legal frameworks has the potential to increase consumer trust.