Will the GDPR Be the Californication of Data Governance?
Business practices around personal data have already resulted in helmification. Will they now lead to Californication? Let me explain.
Helmification is the regulation of a practice by governmental authorities, usually after the practitioners have proven incapable or unwilling to take care of issues themselves. Example: Motorcycle helmet laws — and the EU’s General Data Protection Regulation (GDPR), which places substantial new restrictions on the use of personal data.
Californication occurs when a single part of a large market is able to dictate the behavior of practitioners across the entire market. Example: After California introduced higher auto emission standards, most manufacturers eventually built almost all of their US-market cars to meet the California requirements.
When I advise clients about the provisions and impact of the GDPR, the reaction usually goes like this:
- Stage 1: Bemused chuckle. (“Those wild and crazy European bureaucrats!”)
- Stage 2: Indignation. (“You mean I have to follow these practices too?” Answer: Yes, if you have anything to do with European residents.)
- Stage 3: Shock and awe. (“How are we possibly going to be able to that?”)
The shock and awe firmly take hold when I discuss the GDPR’s requirements for information access and data portability. Namely, any European resident can ask any affected organization for a complete inventory of all of their personal data held by the organization. They can also ask for a copy of it. (In a “commonly used and machine-readable format.”) They can also ask that all of their data be destroyed or deleted. And — trump card — they can demand that all of their data be packaged up and sent to a competitor.
At this point, I’ll hear over the phone line the sound of several hands slapping several foreheads. (And by the way, dear reader, how are you possibly going to be able to do that?)
The answer is complicated, and that’s one of the reasons I’ve been suggesting that many firms with substantial business in Europe may eventually decide to apply the data governance practices mandated by the GDPR to their data practices worldwide, rather than trying to maintain two (or more) sets of technology infrastructures, business practices, and skill sets.
In a recent episode of the International Association of Privacy Professionals (IAPP) podcast, Max Schrems suggested the very fitting analogy with auto manufacturers and California versus “49 state” vehicles. (Schrems is the guy whose suit against Facebook led the European Court of Justice to invalidate the Safe Harbor regime that governed data transfers from the EU to the US.)
But I also think there is a second and more powerful reason that we might witness the Californication of data practices. Reducing cost and complexity is nice, but building trust with consumers is far better, and will increasingly be a key to business success.
The GDPR requires that firms spell out precisely what the personal data will be used for (and for how long, and by whom) when it is requested. Smart firms will also spell out what benefit the consumer will get in exchange for his or her data — and then consistently deliver on that bargain. Consistently and reliably helping consumers achieve their goals is the only sure way to improve the customer’s experience and become a trusted partner. And trust, as they say (or ought to), is the new oil.