The General Data Protection Regulation (GDPR) has been called “a revolution,” “a paradigm change,” and “a ticking time bomb.”
That bomb will go off on 25 May 2018. There’s no question of diffusing it. For any company that does business in Europe, preparation should consist of reducing the destructive effects and, more importantly, preparing to survive – and even thrive – in the drastically transformed business environment that will result from the explosion.
We know it’s going to happen, we know it’s unavoidable, we know life will never be the same afterwards. And what are we doing as a result?
Mostly nothing. And certainly far less than is necessary.
The Content Advisory engages with dozens of marketers every week and regularly asks about their plans for the GDPR. The response usually runs the wide gamut from ignorance (“GDP what?”) to ignoring. (See my podcast, Four Bad Reasons to Ignore the GDPR.)
Given the advanced warning, companies should be metaphorically rushing to the store to stock up on canned food, candles, and batteries (i.e., building up a stock of awareness and education about the GDPR); filling up buckets and bathtubs with water (i.e., reviewing and revising customer engagement strategies); and learning how to adapt to a new diet (i.e., the radical shift from maximum data to the GDPR-mandated data minimization).
Instead, indifference.
Investors place bets on the future – and the GDPR describes the future in detail
Investors (by which I mean venture capitalists and private equity firms) exist in order to place bets on the future. The text of the GDPR describes the future in considerable detail. (As I noted in my recent article.)
Surely, investors should be deeply concerned about the GDPR in order to:
- Review their existing portfolio of companies, to understand the impact of the GDPR. For example, as I explained in this webinar, any software or service solution designed now for deployment after May 2018 must be able to demonstrate that it “enables” data protection by design for the purchasing company.
- To understand how their portfolio companies can/should extend or supplement their product offering to capture some of the immense opportunity offered by the GDPR. For example, think of how number portability ignited businesses in the cell phone space. Data portability as mandated by the GDPR will do something similar but exponentially more disruptive.
- To properly vet new pitches in light of the environment spelled out by the GDPR. Once the regulators begin to impose those €20 million or 4% of gross global revenue fines, the multi-billion dollar opportunity for new technologies and business models will be obvious. But of course, smart VCs need to act well before anything is obvious.
But despite these obvious impacts, my associates in Silicon Valley and in Europe report that investors are . . . indifferent.
In an attempt to understand this knowledge and insight deficit, I contacted a former colleague from my time as a Forrester analyst. This person always struck me as one of the very brightest in a firm populated by smart people, and I had reason to suspect that she’s involved with start-ups and investors in Silicon Valley.
In her response, she first confirmed the field reports: VCs and PE firms are unlikely to get worked up about the GDPR. And she provided a reason:
“[H]ow many VCs use SoX/PCI/HIPAA in their vetting of opportunities? It’s virtually zero I am afraid. It’s too detailed a yardstick for them – they tend to stay on the level of financial potential, market opportunities, and technology soundness.”
(For the record, she’s referring to Sarbanes-Oxley (SoX), the Health Insurance Portability and Accountability Act (HIPAA) and, I presume, the Payment Card Industry Data Security Standard (PCI-DSS).)
This view of the GDPR – which I know is rampant among companies, let alone investment firms – is both entirely accurate and OH. SO. WRONG.
Blame the name
Putting the GDPR in a bucket with SoX and HIPAA is accurate (sort of) because it is, after all, the General Data Protection Regulation. Who takes care of regulations? Why, the Compliance professionals of course! And who takes care of data protection? Why, all of those geeks working for the CIO and the CSO of course! So basically, IT and the lawyers will deal with the “detailed yardstick” of the GDPR, while the rest of the company can get on with business as usual.
But, OH. SO. WRONG. The GDPR is actually nothing like SoX, PCI-DSS, or HIPAA. (To begin with, because those pertain only to financial reporting, payment integrity, and health insurance and data, respectively. Detailed yardsticks, indeed.)
For affected companies, the GDPR deeply impacts the day-to-day operation of every single business process that has anything to do with personal data. Plus, it significantly broadens the definition of what counts as personal data to include most digital fingerprints, such as device IDs, browser settings, location data, and many cookies.
Given those two points alone, it’s difficult to find any aspect of today’s digitalized and data-driven businesses that will not require fundamental transformations in light of the GDPR.
That thing about a bomb in the MarTech ecosystem
To illustrate, take Scott Brinker’s 2017 MarTech supergraphic, comprised of 5,381 solutions. Without radical restructuring of the solution and/or the business model, the GDPR will make it impossible for hundreds if not thousands of those solutions to be deployed vis a vis EU residents after 25 May 2018.
In short, a large percentage of the existing data-driven marketing and customer experience ecosystem is threatened with extinction by the GDPR. (For more detail, see Dr. Johnny Ryan’s excellent exegesis.)
Surely the firms that have invested 10s or 100s of billions of USDs in these start-ups might want to know that?
Why is the GDPR so disruptive? Because it requires firms to follow principles that are in many cases the exact opposite of prevailing practices around data collection and processing. (And which, it follows, are in direct contrast with the way many if not most of the software solutions in the MarTech ecosystem are architected.)
One example: The requirement for data minimization (Article 5(1)(c)) means that you must be able to demonstrate that every business process that touches personal data (and every technology that contributes to it) is designed in such a way that it uses the smallest possible amount of data for the shortest possible period of time while exposing it to the fewest possible eyeballs and ensuring that it is deleted as quickly as possible when the processing purpose is completed.
Compare that to the prevailing practice of grabbing and aggregating as much data as you can and extracting value from it in every conceivable manner for as long as possible. The heart and soul of data-driven marketing – mass data aggregation, algorithmic processing, profile building – is fundamentally challenged – and, to be frank, largely banned – by the GDPR.
It’s the opposite of a compliance problem
The GDPR is clearly not a narrow or detailed concern like SoX, PIC-DSS, or HIPAA. I’m tempted to simply repeat that again for emphasis, but instead I’ll reformulate: The GDPR will not be, and cannot be, addressed or solved as a “compliance problem.”
Evidence: The UK’s chief data protection authority, Elizabeth Denham, emphasizes at every opportunity that the GDPR is not a “box-ticking” compliance exercise but will require basic and broad business transformation.
More recently, Denham acknowledged that the GDPR introduces “specific new obligations for organisations, for example around reporting data breaches and transferring data across borders.” Sounds like compliance problems. But she added that the “real change” for organizations will be in “understanding the new rights for consumers.”
Her deputy Rob Luke tried to make it even more clear: “Those organisations which thrive under GDPR will be those who recognise that the key feature of GDPR is to put the individual at the heart of data protection law.” He added: “Thinking first about how people want their data handled and then using those principles to underpin how you go about preparing for GDPR means you won’t go far wrong.” (Emphasis mine.)
These aren’t just the ramblings of regulators drunk on their own Kool-Aid. Enlightened (or simply attentive) business leaders get it as well. Andrew McClellend of the Interactive Media Retail Group (IMRG) says, “The majority of the change needs to be cultural, rather than box-ticking.” Vivienne Artz of Citi says, “For many organizations, it may mean revisiting the core business model.”
Immanuel Kant explains the GDPR
At the outset of his Critique of Pure Reason (1781), Kant states, “Our time is the authentic time of critique, to which everything must submit.” It is fair to say that the same applies to the dawning era of the GDPR. Whether you are an investor or an executive, a developer or a marketer, a start-up or a legacy conglomerate – there’s no escaping the DNA-level transformations required by the GDPR. Everything must submit to the GDPR. Not (simply) because all must comply with the regulation, but because only by thoroughly understanding how the GDPR changes the business environment can you (try to) adapt to the conditions (the privations and the potential prosperity) that it introduces.
In short: For any business that touches Europe, no calculation of financial potential, market opportunity, or technology soundness is complete or meaningful if it excludes the GDPR.
It’s time to get smart.
