Close ☰
Menu ☰

GDPR: The hard way and the easy way

Posted on: Monday 21st of December 2015

After years of often agonised debate a final compromise around new European general data protections has been reached. Companies have two years to prepare themselves. So what should they do?

Broadly speaking we can see three different responses.


1. The compliance approach

The first is compliance-focused. Here, the company’s underlying mindset is that ‘we always stay within the law, so tell us what we have to do and we’ll do it’.

There are two problems with this approach. First, many elements of the new regulations are wide open to interpretation. This is partly because of the regulation’s attempted shift from a prescriptive approach to a proportionate, risk assessment-based approach – which requires judgements that can be challenged. It’s also partly because of what the words say. What does it actually mean, for example, when it says “The data subject shall have the right to object [to data processing] on grounds relating to his or her particular situation …” (Article 19.1).

And what, exactly, does ‘freely given’ consent look like, especially in the light of Article 7.4 which says that “utmost account shall be take of the fact that whether, among others, the performance of a contract … is made conditional on the consent to the processing of data that is not necessary for the performance of this contract”? What, exactly, does ‘consent’ look like in these two different scenarios?

One more example: where is the border line between ‘direct marketing’ which the new regulation classes as a legitimate processing activity not requiring consumer consent (Article 38) and ‘electronic communications’ which does?

The new regulations are full of such question marks and uncertainties that are likely to suck compliance-focused companies into a morass of confusion and complexity as well as providing their lawyers with a windfall.

The second problem with compliance driven approaches is they don’t necessarily build customer trust. There are, for example, a few critical points in the regulation where it incentivises activities that could simplify compliance … at the expense of customer trust. For example, the requirement to inform individuals (‘data subjects’) of new uses to which their data will be put (‘purposes’) encourages companies to create precisely the blanket cover-all terms and conditions that already cause so much resentment. Ditto with the right to object to profiling (Article 19) and algorithm-based decision-making (Article 20.1).

In short, a compliance driven response is likely to result in lots of pain and cost with very little positive gain – you’ll be compliant with the law, but so will everyone else and your customers may not appreciate it.


2. The gaming approach

The second response is to ask the question “how to bend the rules and game them to our advantage?” This is an appealing reaction especially for those who have fallen for unproven for big data hype and the belief/hope that gathering ever more data is the absolute precondition for improved profitability and competitiveness.

The short answer on this is that the new regulations provide plenty of scope for gaming, especially around the running sore of ‘consent’ which, after all the argy-bargy, remains as potentially counter-productive as ever. But for those tempted to adopt this response, the risks are increasingly high. Trying to game the new regulations obviously contradicts their spirit (and is highly unlikely to succeed with increasingly assertive regulators), will do nothing to build customer trust, and maximises the risk of fines, potentially worth 4% of global turnover.


3. The strategic approach

The third response is to accept the spirit of the legislation and to seize it as an opportunity to put data relationships with customers on a new, positive trust-based footing: to position the organisation strategically for the 21st century digital economy.

The underlying intention of the new regulations is crystal clear. It is stated without caveat in Clause 6 of the Introduction: “Individuals should have control of their own personal data”.

The way to turn this to competitive advantage is to turn consumer control into the means by which new value and revenue-generating personal information management services (PIMS) operate. This approach realises that in a digital, data-driven economy, data-sharing between customers and companies is going to become a norm, and that without trust (delivered and underpinned via consumer control) companies won’t gain access to the fruits of this data sharing.

Probably the biggest and most important tipping point here is the new right to data portability (Article 18.2). This is the individual’s “right to receive the personal data concerning him or her … in a structured and commonly used and machine-readable format and … the right to transmit those data to another controller without hindrance from the controller”.

In a world of PIMS this means customers not only have choice about what goods or services they buy from who, they also have choice over who has ongoing access to their data. This is a game changer, supplemented by a phalanx of new rights and mechanisms including:

  • making the right to withdraw consent “as easy as to give it” (Article 7.3)
  • the “right to be forgotten” (Article 17)
  • the right to know about the existence of profiling (Article 15.1h), and the right to object to it (Article 19.1)
  • the right to opt out of direct marketing (Clause 57 of the Introduction)
  • tightened provisions about transparency (Article 12)
  • tightened definitions of what personal data is (Article 4.1)
  • tightened definition of consent itself: freely given, specific, informed and unambiguous” (Article 4.8)
  • encouragement of pseudonymised processing of data (Clause 23 of the Introduction)
  • encouragement of the use of machine readable icons to communicate policies (Article 12.4)

To anybody adopting a ‘compliance’ or ‘gaming’ response to the GDPR these new rights and provisions are a potential implementation nightmare – especially in the light of the EU’s new insistence that companies should be able to ‘demonstrate’ compliance at every level (Clause 60, Introduction).

But to those committing to a Growth Through Trust agenda – based on the assumption of personal control of personal data – they are

  1. essential stepping stones on the journey to trusted data sharing
  2. a necessary means to win the looming data portability war, and
  3. more likely to increase rather than restrict the things customers let them do with data (because of the trust it builds).


In a nutshell

To be sure, there are many questions still to be answered around the administrative implications of privacy impact assessments, rules relating to the role of ‘data protection officer’, how new supervisory bodies will work, rules around notification of breaches, and transfers of data outside the EU.

But when push comes to shove, there is a hard way to respond to the new regulations (to not accept the way the wind is blowing) and there is an easy way: to turn this into an opportunity to gain competitive advantage via a ‘Growth Through Trust strategy’.

We recommend the easy way.