[REPORT PREVIEW] GDPR Beyond May 25, 2018

1. RESEARCH REPORT GDPR Beyond May 25, 2018 Implications for Strategists and Marketers FEBRUARY 6, 2018 BY SUSAN ETLINGER PREVIEW VERSION

2. 1 Table of Contents 2 Executive Summary 3 Introduction 5 What is the GDPR? 8 Opportunities for Global Business 12 Recommendations 14 Endnotes 15 Methodology 15 About Us 16 How to Work With Us

3. 2 Executive Summary On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) will go into effect. It will harmonize existing data protection laws in the European Union (EU), but, as importantly, it will fundamentally strengthen the rights of people in the EU to control their personal data. There is no question that the potential impact of GDPR is massive, and much is still unknown. What is clear is that it will trigger profound changes within organizations of all kinds that collect data from people in the EU, requiring alterations in process, technology, delivery, and design of products and services, communication, and organizational structure, among many other things. But while GDPR represents a significant disruption to business operations in the short term, it also represents a strategic opportunity in the longer term. This report is not a “how to” for GDPR compliance. Rather, it lays out the strategic opportunities that come from more transparent and trustworthy interactions between individuals and organizations: product, service, and business model innovation; customer experience and loyalty; operations; brand reputation; and competitive positioning.

4. 3 Introduction One fact increasingly affects us: We live in a data-rich world. As IBM famously stated: “Ninety percent of the data in the world was created in the past two years alone,” and that time span is narrowing.1 While technology access remains uneven, the availability of increasingly personal data — gathered by sensors, social media posts, images, mobile phones, websites, closed circuit TV, videos, and transaction records, among others — challenges established notions of privacy rights. The discussion of the individual’s right to privacy has been particularly intense in the EU, where data protection has been a high priority for years. The focus has been to find a way to restore control of personal data to the individual, improve transparency, and fundamentally change the way organizations approach data collection and use. On April 14, 2016, the EU Parliament approved the GDPR as a single, legal standard across the EU “to make Europe fit for the digital age.” More than 90% of Europeans say they want the same data protection rights across the EU – and regardless of where their data is processed.2 The new law goes into effect on May 25, 2018. GDPR will trigger fundamental changes to all organizations, no matter their location, that collect data from people in the EU. For this reason, it is a mistake to view it simply as an “EU issue,” an obscure regulation or a compliance exercise handled by a team with a checklist. The breadth and depth of changes demanded by GDPR is vast and could well influence how global companies treat personal data for many years to come.

5. 4 There is no question that GDPR calls for changes in data collection and processing that significantly disrupt organizations. Some question whether the breach notification deadline of 72 hours is even possible given the complexity of corporate database structures and information technology environments. Data access regulations are also challenging, as extracting and exporting all personal data from apps and systems in an accessible format is no easy task. But as challenging as GDPR may be for the groups working on complying with the regulation, it also represents an opportunity: to develop new data-centric and compliant products, services, and business models and reset trust with customers, clients, consumers, and the general public. FIGURE 1: MOST CONCERNING ISSUES ABOUT ONLINE USAGE ACCORDING TO INTERNET USERS IN THE UNITED STATES AS OF MAY 2017 (SOURCE: STATISTA) Cyber crime such as having your money or personal information stolen online Cyber attacks via internet to disrupt life in th U.S. ( e.g. online theft & of classified info, disrupting services) Fake news stories and propaganda on social media Companies collecting and sharing your personal data online with other organizations Online survelliance of U.S. citizens by U.S. government Children accessing online content of an inappropriate nature Hurtful or personal things about you being posted online None of the above Don’t know 59% 49% 31% 30% 26% 23% 7% 4% 11% 0% 10% 20% 30% 40% 50% 60% 70% Share of respondents But there are reasons beyond compliance that organizations should consider in the wake of GDPR. In the United States (US), at least three of Internet users’ top 10 concerns relate to the way companies and governments use their personal data (Figure 1). While cyber crime and cyber attacks appear to be the most salient worries, 30% of U.S. Internet users are concerned about “companies collecting and sharing your data.” SOURCE: Statista

6. 5 What Is the GDPR? The GDPR is comprehensive regulation that governs the way all organizations may use the personal data of people in the EU. It is rooted in a series of historic and regulatory events, including the Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, which is “a set of recommendations endorsed by the EU and the U.S. that set out to protect personal data and the fundamental human right of privacy.” 3 Overall, the regulation is intended to harmonize existing EU privacy laws across Europe and return control of personal data to the individual — who the regulation refers to as the “data subject.” Understandably, a key question for many is the effect on the United Kingdom (UK) post-Brexit — an issue that is and will continue to be addressed by the EU and the UK Information Commissioner’s Office (ICO).4 KEY CHANGES OF THE GDPR The GDPR contains ninety-nine articles that detail the specific rights of individuals and the responsibilities of the organizations that collect and/or process their data.5 The EU also has laid out the key changes to previous European privacy legislation that focus on the following areas: • Territorial Scope, • Penalties, • Consent, and • Rights of the Data Subject. The following is a digest of the key changes in the GDPR. It is not intended to replace a thorough reading of the text. To review the complete text, visit the the EU Protection of Personal Data site. Compliance checklists for data controllers and data processors are available on the ICO website. TERRITORIAL SCOPE GDPR applies to any organization that processes the personal data of someone in the EU or UK, regardless of where the company is located. This means that any company — whether brick-and-mortar, online, or both — with customers who live in the EU must comply with the regulation or face stiff financial penalties.6 PENALTIES Companies in breach of GDPR “can be fined up to 4% of annual global turnover (generally speaking, gross revenue) or €20 million (whichever is greater)”.7

7. 6 CONSENT The GDPR provisions for consent focus on a number of issues related to personal data, including: 1. How companies request it; 2. How and with what language and context it is granted, and 3. The ease of withdrawing consent — the right to be forgotten. In all cases, the language used must be clear and plain (not dense and legalistic), the purpose for requesting the data must be clear, and the consent for using the data must be distinct from other topics. RIGHTS OF THE DATA SUBJECT GDPR primarily concerns itself with three key principles: how organizations request and manage consent, how they manage the use of and secure the data, and the organizational oversight needed to protect the “data subject” (Figure 2). “The US Guide to Getting Consent”, published by the International Association of Privacy Professionals, is an excellent resource to better understand the nuances and user experience issues related to notice and consent.8 PRINCIPLES GOVERNING CONSENT • Clear, Specific Purpose • Plain Language • Easy to Withdraw Consent PRINCIPLES GOVERNING DATA USE • Right to Access Data • Right to Explanation • Right to Transfer Data (Data Portability) • Right to Object to Data Profiling • Right to Be Forgotten • Breach Notification ORGANIZATIONAL RESPONSIBILITY • Privacy by Design • Data Protection Officers PERSON (aka The “Data Subject”) FIGURE 2: RIGHTS OF THE DATA SUBJECT

8. 7 People in the EU are empowered by the following rights: 1. Breach Notification. Governs the processes and timing for organizations to notify relevant parties about a data breach. 2. Right to Access. Expands the rights of individuals to access their data, understand where and for what purpose it is being processed, and receive a digital copy if they request it. 3. Right to Explanation. Automated decision-making is another important aspect of GDPR. Articles 13-15 provide rights to “meaningful information about the logic involved” in automated decisions. As argued by Andrew D. Selbst and Julia Powles, “This is a right to explanation, whether one uses the phrase or not.” 9 4. Right to Be Forgotten. Entitles people to have their personal data erased, cease further dissemination of it, and potentially have third parties halt processing of the data as well 5. Right to Object (to Data Profiling). Grants people the right to object to having their personal data used to evaluate or profile them with regard to “aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.” 10 6. Data Portability. Enables people to receive the personal data concerning them that they have previously provided in a “commonly used and machine readable format” and have the right to “transmit that data to another organization.” 7. Privacy by Design (and by Default). Requires organizations’ data controllers to follow privacy-by-design principles, including using the minimum amount of data possible and limiting access to personal data. 11 8. Data-Protection Officers. Requires organizations to appoint a data-protection officer, and lays out the requirements and responsibilities for that role. These rights have implications that extend deep into a business: security, compliance, legal, marketing, operations, product development, finance, and customer service, to name a few. At the same time, we should expect to see a range of responses to GDPR across the globe. According to a a 2017 PwC pulse survey of C-suite executives from large American multinationals, “54% reported that GDPR readiness is the highest priority on their data-privacy and security agenda”, and “77% plan to spend $1 million or more on GDPR.” 12

9. This preview version of “ GDPR Beyond May 25, 2018 ” contains only the first seven pages of the report. To download the entire report, free of charge, please visit the link below: http://bit.ly/altimeter-GDPR-strategy

[REPORT PREVIEW] GDPR Beyond May 25, 2018

You are reading a preview.

Check these out next

[REPORT PREVIEW] GDPR Beyond May 25, 2018

More Related Content

Slideshows for you (20)

Similar to [REPORT PREVIEW] GDPR Beyond May 25, 2018 (20)

More from Altimeter, a Prophet Company (20)

Recently uploaded (20)