Jim Headley

Jim Headley

Jul 31, 2019


Stop me if you've heard this one:

Do you know a good GDPR consultant?

Can you give me their email address?

As of May 25th, 2018, many businesses are not laughing because Europe is dealing with a new data privacy reality affectionately known as the General Data Protection Regulation (GDPR). It looks like Europe has officially put the GD in data protection. If you are like many American companies, you have a few questions. One, what is it? Two, why am I just now hearing about this? Three, why should I care?

What is it?

The GDPR sets forth requirements relating to the processing, storage, and handling of personally identifiable information (PII). I know, this is already sounding “exciting” but stick with me on this. It also empowers the consumers to take a much more active role in managing this information. This includes the ability to review the data held by an organization, insight into how your data is being used and by whom, the right to anonymity, the ability to retrieve a copy of the data, and the right to be forgotten.

This is a big deal as it will likely require a fundamental change to how a company processes information.

But wait, there’s more. There will also be much more stringent consent requirements surrounding data usage. Companies can no longer opt consumers into receiving any and all marketing material it deems fit. No! The default will now need to be the most restrictive privacy policy. This is a big deal as it will likely require a fundamental change to how a company processes information because very, very few give any consideration to data usage tracking and portability when designing systems.

Photo by Roman Synkevych on Unsplash

I know what you’re thinking. The cost to alter the most fundamental aspect of my business processes will be prohibitively expensive. What if I take my chances and take the slap on the wrist when I get caught? The EU has anticipated this and has gone old testament by allowing for the the removal of the hand. Failure to comply can result in fines up to 4% of annual global revenue or $24.6 million, whichever is larger.

Why am I just now hearing about this?

This seems to have caught many American companies flat footed and will sideline many. While Facebook was focused on pimping out their users’ data to companies like Cambridge Analytica, Europe was busy securing their citizens data from such ne’er-do-wells. These new privacy regulations are not coming from “left field” as they were ratified in April 2016. Prior to this regulation, each member state had its’ own set of guidelines governing the use, collection, and access to personal information. Some members being more effective than others. These new guidelines create a level playing field for companies setting up shop in EU member states and consistent protection and enforcement for its citizens.

Why should I (Mer-i-cans) care?

As many in the US have remained blissfully unaware, they are just now learning that these regulations apply to any company based in the EU as well as any company outside of the EU that stores or processes the data of European citizens, a.k.a. customers & subscribers. As I write this, GDPR Day May 25th, 2018, the internet is lighting up with tales of Non EU media outlets blocking access to EU citizens until they are able to comply, plummeting European add demand, flooding of email inboxes with disclosures, and smart devices, including thermostats, being disabled until customers accept their shiny new terms of use. Finally, the Y2K promise of mayhem has been realized!

The GDPR not only impacts potential marketing revenue streams but also the analytic capabilities of companies doing business with EU citizens. One bright spot in this is that the GDPR makes provisions for the retention of anonymized and aggregated data.

The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.

This means that a company need not dispose of cherished, hard earned consumer insights once a request has been made to redact PII. We at MacLaurin Group have 20+ developing data solutions and understand the contextual intricacies that demand consideration to ensure that an aggregated solution will not only serve you today but into the future, after the underlying detail has been deleted and is no longer accessible.

It will be a while before the dust settles and the true cost of GDPR can be assessed. What will be far more difficult to quantify is the impact this will have on non EU citizens as the barely existent protections that they enjoy make them the focus of attention of companies who have enjoyed exploiting their information with little or no concern for the consequences.

Photo by Tim Gouw on Unsplash

If I were a CEO I would be asking my CTO/CIO/COO what is our exposure as it relates to these new regulations including the amount of European PII currently in your possession? Is this information necessary? Have we taken steps to re-mediate our exposure?

The only thing that can be said for certain is that the GDPR is a big damn deal.