GDPR: The New Y2K?

At the stroke of midnight on January 1, 2000, amid the fireworks and celebrations, IT managers nervously watched how their computer systems were reacting. As the calendar ticked over, none of the anticipated disasters – from electricity grid failures to aeroplanes falling from the sky to nuclear missile launches – came to pass. The hard work of the IT teams had thwarted the Millennium Bug.

Fast forward to 2018 and the media has built up a similar level of noise around Europe’s GDPR, which gives consumers ownership over any data they generate or share with businesses. However, while the Millennium Bug was a real problem that had to be solved, GDPR looks to solve a data privacy problem most consumers don’t really care about. Surveys may show the public has a significant interest in data privacy, but day-to-day customer behaviour doesn’t reflect this.

There have been many data breaches since the dawn of the internet, from businesses in almost every sector. The initial breach and management’s response often drive acerbic headlines, but when the dust settles, share prices return to normal and the impact on revenue is minimal. Looking back at the historic valuations of companies with high-profile data breaches, it is almost impossible to spot the impact of the leak among the noise of the stock market. In the long run, consumers remain with the companies they are used to, inertia seems to trump the potential risks for many customers. It almost seems like consumers see the occasional data breach as the price of doing business online.

To encourage companies to improve their data protection, the Information Commissioner’s Office (ICO) has introduced financial punishments for a lack of GDPR compliance, with fines of up to £17 million or 4 percent of global revenues. However, if customers really cared about their data, these fines wouldn’t be needed. They would penalise businesses by taking their money, loyalty, and data elsewhere. These customers would choose companies with the best data protection policies and those that were most transparent on what they do with all the data collected. Companies who use data for excessive financial gain, or unethically, would be quickly punished.

In addition to the apparent absence of consumer demand for better data security, the reality is that the ICO is unlikely to be poised to deliver a stack of fines. Elizabeth Denham, the UK's information commissioner, has been quoted as saying that her team would “rather use the carrot than the stick” to engage businesses in compliance.

Despite this, businesses are working hard to build new capabilities, assemble new teams, and define new roles and responsibilities at board level. The legislation, as the name suggests, provides guidelines for managing data and privacy. However, businesses are also expending a lot of effort in meeting the three other new rights enshrined in GDPR: the right for customers to view their data, delete it, and port it to competitors.

While businesses are building the capabilities to handle a large number of data requests inspired by the new rights, there is little sign that customers will take advantage. Most consumers are likely to continue as they do today: offer up their data in exchange for improved services and convenience.

In addition, there’s also a potential get-out clause: using data for legitimate interests. To qualify, a business must show it has a legitimate business purpose for using the data, any processing is necessary for this purpose, and that the interest is balanced against the individual’s interests, rights, or freedoms. This may be the case for many big businesses in Europe, such as retailers, whose customer data is essential for everyday activities like stock ordering and home deliveries.

Overall, while the aims of the legislation are laudable, it’s not clear that the efforts businesses are deploying to build the new capabilities will be necessary to meet consumer demand. For the new opportunities and threats of GDPR to become reality, consumers will need to do something different: vote with their feet when companies fail to keep their data safe.