BETA
This is a BETA experience. You may opt-out by clicking here
Edit Story

The General Data Protection Regulation Could Be A Big Opportunity. Here's Why.

ADP

By Todd Wasserman

Ever since the European Union announced the General Data Protection Regulation (GDPR) — a sweeping new set of data privacy rules that will affect global firms that do business on European soil — much of the discussion has focused on its negative effects.

iStock

Chief among those effects is the maximum fine of 4 percent of revenues that regulators can levy against organizations that violate the GDPR. Thanks to that steep penalty, many businesses are framing the GDPR as a looming potential catastrophe. A study from information management company Veritas Technologies found that 86 percent of organizations worldwide believe the GDPR could have a negative impact on their operations, while about 20 percent said they thought noncompliance could put them out of business altogether.

While these fears are rational for some, for the majority of organizations the GDPR could be more of an opportunity than a threat. It could make it easier to do business in Europe by simplifying data transfers and enabling more transparent relationships with customers.

Streamlining Business In Europe

Each of the EU’s 28 countries has had its own privacy czar to enforce the law. Enforcement has varied from country to country, which has made doing business in the EU more complex.

The GDPR is a positive for companies doing business in Europe “because they’ll have a better view of what it means to protect information,” said Cécile Georges, global chief privacy officer for ADP. Policy, she said, will be harmonized.

Each country will have the latitude to make its own amendments to the GDPR, but Georges believes that 90 to 95 percent of the rules will accord across all 28 countries.

Organizations that have already been doing business in certain EU countries, meanwhile, won’t see much of a difference. Germany, for example, has long had stringent data privacy laws.

Processing data will no longer require an organization to file an application with each protection authority. Rather, in line with the GDPR’s “accountability principle,” an organization will be accountable for observing all privacy directives and demonstrating that it’s doing so. That will be challenging in itself, but bureaucratically it should prove a much easier lift.

Among other things, Georges said, it will reduce the administrative paperwork burden and eliminate the need to wait for responses from the data protection authorities.

Smoother Data Transfer

Another way the GDPR will make moving data into and out of the EU easier is by recognizing binding corporate rules (BCRs) as a viable framework for data transfer.

Previously, organizations that wanted to move data across borders had to implement so-called model clauses, agreements between service providers and customers ensuring that personal data leaving the EU met with the region’s data-protection standards.

Model clauses can work well for a smaller company. But a larger one, such as a conglomerate with numerous foreign offices, might need to put in place hundreds of them. That’s an expensive and labor-intensive proposition. What’s more, model clauses tend to go out of date quickly.

By contrast, BCRs, which the EU formally recognized in 2015, are collectively the TSA Precheck regime of international data transfer. They eliminate the need for your company to make one-off agreements with each of its partners and allow it to zip to the head of the line. Once the data protection authorities have recognized an organization’s BCRs, it can freely move data into and out of the EU.

“You can also send data to India or anywhere around the world if you have business there because all of your affiliates will be bound by those BCRs,” Georges said. “That’s a positive for multinational companies.”

Rebooting Customer Relationships

The GDPR is, above all, a consumer protection measure. European consumers will have more control of their personal information and how it is used on the internet.

For businesses, it will also be clear that consumers are voluntarily offering up their data. Before the GDPR, a consumer might have signed up to receive a certain company’s emails simply because she neglected to uncheck a box on an online form. That sort of relatively benign trickery won’t be possible post-GDPR, and the resultant transparency and trust could improve companies’ relationships with consumers. Every interaction between them will be consensual.

Making The Most Of The GDPR

Businesses can be expected to grouse about the GDPR, which has prompted many of them to allocate resources toward compliance and away from research, development, sales, marketing and other important areas.

But since the GDPR is inevitable, organizations would do well to find the positive elements in it and put them to work.

Georges said that most are now doing exactly that.

“Our clients want to do the right thing,” she said. “They just need to understand how it impacts their own business and what they need to do.”

For more information and for more articles like this, visit adp.com/spark.

Todd Wasserman was both the last editor-in-chief of Brandweek and the first business editor for Mashable. He writes mostly about technology.