Podcast: Four Bad Reasons to Ignore The GDPR
In this episode of Just Clarity Tim Walters and Jake DiMare unpacks four bad reasons to ignore the General Data Protection Regulation (GDPR).
Welcome to Just Clarity, a periodic podcast about Digital. Just Clarity is produced by the team at Digital Clarity Group. We help leaders transform the experience they deliver to customers, prospects, and their employees through the effective selection, integration, and adoption of customer experience management technology. Learn more at digitalclaritygroup.com
Jake Dimare (JD): Alright welcome back to the Just Clarity Podcast. I am joined by Tim Walters, Co-founder and Principal Analyst at Digital Clarity Group, and my name is Jake Dimare, I’m the Director of Marketing.
So for this episode of Just Clarity, we’re going to talk about the GDPR again Tim. The last time we got together we shared, or you shared the five myths associated with the GDPR. A lot of great information there folks, you can go up to our website and find that in the podcast section.
What we’re going to talk about today though is since this, the last time we spoke, Tim you’ve had the opportunity to go into some businesses and conduct a couple of workshops where you talk specifically about how the GDPR may impact those organisations that brought you in. So I’m interested to learn what is it that you’re learning or hearing now that you’re out there in the field?
Tim Walters (TW): Yeah I would say that it’s the out in the field part that’s more interesting right now or maybe more worthy of discussion. The workshops are often kind of, I almost want to say entertaining to watch because people typically go through three or four stages in the course of the first couple of hours as they come to terms with the GDPR from kind of laughing and thinking that the bureaucrats have imposed another outrageous set of restrictions on them to begining to wonder how they’re possibly going to be able to comply with the regulation, to a kind of shock and awe state when they realize just how much it requests or demands rather of organisations and how their possibly going to be able to do that before it becomes enforceable in May of 2018.
So the other aspect of this is what’s going with people who, talking to who aren’t doing workshops, who don’t think for one reason or another that they need to be worried about the GDPR at least not right now, and so I have collected three or four top excuses that I keep hearing over and over from people when I ask them what it is that they’re doing at this point and they basically they tell me they’re doing nothing.
JD: Well, that seems like a bad idea.
TW: Very bad idea. So the first of those excuses and I think perhaps the most prominent one and it’s almost understandable is that they say, “there’s plenty of time to worry about it. We’ve got a lot of things to do, we’ve got to prioritize and the GDPR is so far away that we’ve got time to put it on the backburner for now”. That’s accurate in the sense that compliance is demanded only as of May 25th 2018 and that’s awhile from now. However when you think about it, let’s see as of October 1st, as of tomorrow, May 25th, 2018 is about 420 working days away.
That puts a different kind of perspective on it and I think, and I’m not the only one who thinks that even for a mid-sized firm that is not going to be impacted as fully as a multinational obviously, with thousands or millions of consumer touch points. 420 working days is a very short period of time to prepare, and here’s I think a good way of looking at it. Consider a single project that the listeners might be familiar with like selecting and implementing a new Web Content Management solution for your website.
So how long does that typically take, right? We would say, you know, we do a lot of consulting around helping people select and implement WCM, and very, very roughly speaking it depends upon on many factors of course, but as a rule of thumb say roughly 18 months. If you’ve really got your ducks in a row as they say, about six months for the selection process, that is including understanding what your true requirements are, filtering that down to what we call your focal needs, that is your highest priority needs that are really going to determine which solution you should select, going through the vendor selection process, and then about a year to have the service provider partner implement and build out the solution that can begin producing business value. Alright, does that seem reasonable to you?
JD: Yeah that seems pretty accurate to me. I know the better part of my career I spent a lot of time doing exactly that kind of work and 18 months is an accurate timeline.
TW: Exactly. So now as of October you’ve got about 19 months until the GDPR is enforced in 2018 and you have to realize that in all likelihood, most organisations are going to be facing two or three at least, distinct technology selections and implementations in order to be a position to be compliant.
So for example: you have to create a system, I doubt that most organisations have this now, you have to create a system for storing and retrieving granular responses to your request for consent to collect personal data. So when you ask someone, “May I collect this and that data for the purposes of doing A,B, and C”, you have to store that request and their response obviously so that you can prove that they provided that they gave their consent.
JD: So this is like preference center 2.0.
TW: Yes, but it also has to be granular. So they can say “I will give you my consent for the purpose A, but not B and C or A and C and not B”, so that all has to be stored, it has to be retrievable so that you can prove when requested and so forth. You also need to create a system that can basically scour all of your databases and data storage facilities and give an accurate and utterly complete response to the question from an individual, “Do you have any of my personal data?”, and on the one hand that might seem easy to some people because they’ll say, “Well we have a kind of master customer database that powers the personalisation on our website so we’ll look in there and see if we have any personal data for that person”. That’s probably a good place to look, but you might have personal data about that individual in many other systems throughout your organisation as well, let alone throughout your global organisation. You may have it in servers or databases that haven’t even been active for months or years. You may have it in backup storage. You may have it on personal computers of employees who have copied to thumb drives. You may have shared it with partners and you’re now responsible for identifying that. So how are you going to be able to give that accurate response?
JD: You know what you just made me realize Tim that this almost becomes the regulatory hammer that allows marketers to push through the, or customer experience professionals to push through the 360 degree customer data initiative that never gets approved or never happens due to the overwhelming cost of getting that done.
TW: Yeah I think that’s right. It might encourage firms, it ought to encourage firms in fact to be much more thoughtful and even strategic about what kind of personal data they need and what kind frankly they don’t need because the overhead and the expense and the hassle frankly of collecting and using personal data is going to increase. So you want to be very careful about knowing what kind of value you’re going to get out of it so that you can make a reasonable judgement that the value you can receive from it compensates for the hoops that you have to jump through in order to collect it and store it and treat it with the responsibility that the GDPR demands.
In addition to that you’re going to have to create a system for identifying all of that data once you’ve answered that question for extracting it if requested, and that means destroying any traces of it in your systems and again in your partner’s systems and so forth for packaging it into what is called a Easily Machine Readable format. Somewhat suggested to me, “Well this would be just XML”, but I don’t think that the data protection authorities are going to agree that XML is easily readable and might be easily machine readable, but has to be comprehensible to the individuals who have requested that data.
JD: I’d say that’s the step in the wrong direction.
TW: Yeah, I think that’s the third or fourth major system that you might have to design, acquire the components of and implement between now and May 2018.
JD: And we’re only in the custom pieces.
TW: Yes, exactly. There’s an entire another part in the regulation about data breach, identification, and notification. So you know we just saw in the case of Yahoo who would have us believe they were unaware of a data breach that resulted in the loss of 500 million personal data, about 500 million individuals for over two years. That’s not acceptable under the GDPR. So if you don’t have it already and frankly most organisations don’t, you’re going to have to have much better systems for first off all: Breach protection, you know security and threat projection, and then data breach identification, detection, and data breach reporting because those reporting requirements go up substantially, and just generally a complete rethinking and hardening of the security and threat protection layers given how devastating the fines can be that might be levied if you have a major breach like Yahoo.
So in short in other words, I haven’t even begun to talk about all the business process review and redesign that goes into being compliant. It’s probably all together even more time consuming and complicated than the technical aspects of compliance, but you can see that 420 working days begins to look laughably short once you begin to realize all the things that have to be done by an organisation or all of the things that may have to be done and in many, many cases they will have to be done in every organization in order to be compliant by May of 2018.
JD: Yeah, agreed. It does seem like a very short amount of time.
TW: Yeah. So the second excuse that I get and this one is also quite understandable, especially for in the US, maybe less so in Europe and that is: “We’ll wait and see if we get caught,” Alright. Basically we’ll cross that bridge when we get to it so if we get caught then we’ll pay the fine and we’ll respond accordingly and so forth because typically the situation in the US particular has been that fines have not been that excessive, that invasive, and regulators are satisfied with the promise that it’s never going to happen again. Just think how many times Facebook has faced that kind of criticism and then they say, “Oh sorry, we didn’t realize that toying with the psyche of customers was a bad thing, we promised to never do it again”. This excuse is not valid because, I don’t think we talked about this in the previous podcast, but it’s worth repeating if we did: It’s very important to realize that is is not the case that the law comes into effect May of 2018, it came into effect of 2016, it is now the law of the land so to speak in every EU member state. However the regulation specifically spells out that there will be a two year transition period in which it will not be enforced or more particularly data protection authorities should not enforce it.
So this is the grace period. There’s a two year grace period between the time it became law in 2016 and when it becomes enforceable or will be enforced in May of 2018. So what you cannot possibly say in May of 2018 is, “Oh sorry, but this is a brand new regulation and if you have to give us some time to get used to it or get ready for it”. This is the time built right into the regulation that companies are being given to get ready for it and you ought to be taking advantage of it that time.
Interestingly and actually let me add something there. When you look at the fine structure, the ways and you know what kinds of things will get you what level of fine in the regulation. There are pages actually of things that the data protection authority should take into account in determining the level of the fine, and one of them is whether you can demonstrate that you proactively tried to comply. So you could say: “Okay we did violate the regulation, but look we did all of these things, we tried to educate ourselves, we had conversations with the data protection authorities. We implemented some new processes and systems so you can see that we were making a good faith effort to comply with the law”, and a reasonable data protection authority would realize that that could moderate the amount of fine or cancel it all together, but if you don’t do anything until the law is close to coming into effect, it will have the opposite impact on the authorities because you will have precisely you have not demonstrated any good faith attempt. You will have demonstrated that you were basically purposefully ignoring the need to be compliant with the regulation, and that would likely increase the level of the fine that you would receive.
JD: Interesting. So let me just try to clarify that. So if you’ve taken, if you’ve made some good faith effort to comply, then the regulator can use as a decision point when they decide how much to fine you for a violation.
JD: Does this mean that if you’re caught in violation of GDPR, it doesn’t sound like there are court proceedings at this point, it just sounds like the regulator decides what to do.
TW: In most cases the regulator would decide what to do. So every organisation needs to designate the member state data protection authority and there may be more than one data protection authority in a country like Germany or something, but in any case you designate the data protection authority that as it were going to be your watchdog so to speak, although they want to think of themselves as more of your partner, your partner in privacy. So that’s the lead data protection authority. If it comes to a question of whether there’s been a violation, a large organisation that operates across Europe might draw the attention data protection authorities in many countries and then they will need to cooperate and determine whether or not there has been a violation and whether or not it requires a fine, but in principle there is always a designated lead authority.
JD: Excellent. So what’s number three?
TW: The third excuse is, this one’s kind of audacious: “Yeah we looked into it and we’ve got it covered”, and you can see given what we’ve reviewed merely from the technical aspect kind of infrastructure aspect of compliance, it’s very, very unlikely that anybody is fully compliant with the regulation today. As a matter of fact this particular response I first heard from a vendor, a software vendor and vendors have an additional challenge, and I must say as well, additional opportunities in the context of the GDPR because one: let’s say, I won’t name a software vendor, but imagine somebody who’s selling WCM since we already mentioned that, they need to make sure that their business and customer relations and the way in which they handle personal data is, in their marketing efforts and so forth, is compliant, just like any other client organisation of theirs. Then they need to make sure however that their solutions are compliant, that they are selling. They also need to make sure that their sales teams are educated about the GDPR because clearly as time goes on, any client or prospect is going to become increasingly anxious about knowing how a vendor’s solution or will not help them, aid them in becoming compliant. So you need to be able to answer that question with some degree of knowledge.
Then the product strategy, how can we plot out, how can we create new solutions which are going to help people deal with the challenges of the GDPR. So there are four or five different areas that a vendor has to very carefully think about and potentially design solutions around as compared to the one area really basically, how are we handling personal data in our business processes that a so called end user needs to worry about.
So if you hear from a vendor in September of 2016, a few months after the law has been passed and actually only not that many months after it came into its final form in the spring of this year that they’ve looked into it, and they’ve got it all covered, they’re probably not understanding precisely the impact that it’s going to have.
JD: Right, right. You know there’s only a handful of people that know this subject as well as you do at this point. I mean is there some solution that you can buy off the shelf and just plug into your organization that’s going to solve these problems for you?
TW: None whatsoever.
JD: I didn’t think so.
TW: It depends too much upon the distinctive situation of a given organization. So there will increasingly be both technology solutions and packaged advisories, and packaged business processes that will help you deal with the GDPR and that’s actually encouraged by the regulation, but there certainly will never be, it’s not a plug in that you just add to your current business processes and then, or your current business model and then you’ve dealt with it.
JD: So it actually leads me up to a follow up question. I remember back in my early days as a web developer, I did a few government projects in the United States and they were required to be compliant for disabled people to use the websites. So back in those days it was sort of fashionable to actually put a seal in the footer of your website that indicated compliance. Do you sort of know of any organisation that is even offering the testing and certification that’s necessary to say, “Yes this organisation has done everything they need to and they’re compliant”, or does that not even exist yet.
TW: Yes. Well I can’t say for sure whether it exists yet, but again and this is one of the ways in which, this is something that shows that the authors of the regulation were trying to be business friendly in light of their responsibility to protect and privacy of EU residents. So there’s an entire section of the regulation that is about certifications and seals and so forth, just as you were talking about in the case of compliance around accessibility.
Those seals have not been completed yet, and they’ll probably vary by industry and so forth, but that motivates companies within a given industry to come up with joint solutions that are recognized as acceptable under the GDPR and to create some kind of certification program and then a seal that you can achieve as it were and display at the completion of that program and that will provide more trust and insight from the perspective of the consumers who are visiting those sites or interacting with those companies and make it easier for companies to have some assurance that the way in which their behaving will be found appropriate should it come to any kind of review with the data protection authority.
JD: So what else. What are the other reasons why people are not making any progress?
TW: Yeah the fourth one that I wanted to talk about is actually the one that hear most often more than any other and this continues to astonish me and as time goes on it astonishes me more and more and you’ll know why when I tell you and that is basically, “What’s the GDPR?”. I was just at an event last week in Scandinavia and there were about oh I don’t know, 40 different organisations there and I had as many conversations as I could. I probably started irritating people because all I wanted to do was say, “What is your organisation doing about the GDPR” and I would say, without exaggeration 80% of the time, if not 90% of the time they didn’t have any idea of what I was talking about. This is in Europe and this is what, 18-19 months away from implementation or from enforcement. In a way I think this is, we talked about these as bad excuses for ignoring the GDPR, this is actually a good excuse for ignoring the GDPR because you’re literally ignorant of it. I can hardly blame you if you haven’t heard of it, I can’t expect you to have made any progress towards complying with it, but it’s only a good excuse for ignoring it as long as you’re genuinely ignorant and as soon as you become aware like right now dear listener, then your obligation is to jump action and begin as quickly as possible doing all those things that we’ve listed and again those were only a few of the things that you’re going to need to do between now and May 25th, 2018.
JD: This one’s interesting to me. I’ve been to a few events recently where I’ve had the opportunity to communicate with CMO’s at very recognized global brands and of course this is very unscientific, this is just anecdotal but, I spoke actually at these events so I had the opportunity to talk with 35-40 people at the same time and I asked each of the groups, “What do you know about the GDPR”, and in each group a couple of people did know exactly what I was talking about. The overall majority had no idea and unfortunately I can’t, I wish I could say which company this is, I have a friend that I grew up with that is the general counsel for a huge organisation that is publically traded and touches every part of the globe, and she declined to comment on the record because I think they see it partially as competitive advantage to discuss what they’re doing about it, but she knew exactly what I was talking about and she is taking it very seriously.
TW: That’s very interesting because it precisely is a competitive advantage. That’s a good way of thinking about it. For example I was also at another big event in the US and in this case where there were a lot of service providers, so consulting firms, system integrators, digital agencies and again, there was one person really that didn’t just say, oh yeah I’ve heard vaguely about that, but actually knew a lot about it and that gives her organisation a competitive advantage because one: in this case they’re a service provider, they’ve got a huge head start in providing the services that will help companies become compliant when those companies kind of wake up from their slumber and realize what they’re facing, and if you look at it not from the perspective of a service provider but from those end user companies, if you’re working on the GDPR now or if you’ve been working on it, if you were working on it six months ago before it even was passed as law, but it was clear since no later than December 2015 that it was going to be passed, that’s when the real pro active firms should have begun working on it and if you’ve been working on for three months or six months or nine months, you’ve got a massive head start and a massively easier effort in coming into compliance compared to your two year competition.
JD: So here we are. So any organisation that stores or processes the information of EU residents has to most likely install four or five new bespoke systems that don’t exist that’s technology. They have to change the way they operate, they have to retrain their team. They have to certify that they’re in compliance. They have roughly 19 months to do it and sort of anecdotally between you and I it seems like a 10th of the businesses we’ve spoken with actually know that this is coming. Seems like there’s going to be a lot of folks caught with their proverbial pants down in 2018. What’s the solution to this problem?
TW: Yes. That’s precisely right and I agree with about 10% and so forth, and that gets me to another excuse which I didn’t actually list as one of the four that we discussed, but we sometimes hear, “I’ve got other things to do and it’s not my top priority”. Well I can’t judge that, that’s for you as a business manager to decide, but what’s going to happen in six month or a year when it absolutely has to be your top priority and overwhelms everything else that you ought to be doing in parallel. So it’s much better to be begin working on the GDPR now, if not already yesterday so that you can keep, you know as it were several pots boiling at the same time rather than concentrating entirely, having to shift your intentions entirely to the GDPR at some point in the future at the expense at the other important projects that you’ve got going.
JD: I think now, you know before we bring this conversation to a close It might be a good time just to remind folks once again what’s at stake here.
TW: There’s a short answer. The short answer is what’s that stick, what’s the stick that the EU and the data protection authorities are going to use if you’re not compliant. There are two categories of fines. So for certain kinds of violations or noncompliance, you could be fined up to 10 million Euros or two percent of your global annual turnover, that is your global gross revenue. For the second category of violations you can be fined up to 20 million Euros or 4% of your total global revenue. So one of the ways to get people’s attention is just look up their 2015 global gross revenue and at this event I was at last week, mostly it was developer and technology focus, but there were two people, marketers from large global organisations and I won’t name them, but I calculated quickly that for one of them based in Europe, a 4% fine would be 445 million Euros and for the other, actually also based in Europe, but very well known in the US, a 4% fine would be 2.1 billion Euros and that’s for one violation. You could be potentially fined over and over again if you’re a serial violator and refuse to learn your lesson.
That potentially, without exaggeration, potentially life-ending circumstances for organizations that are grossly out of compliance with the GDPR.
What else is at stake and I think this a topic for an entire another podcast is that the intent here is that it institutes an entire new paradigm for the expectations of consumers and behavior of companies around privacy and personal data. So going back to our discussion of competitive advantage and disadvantage, setting the fines aside entirely, if a number not even necessarily the majority, but if a number of your firms in your competitive set are compliant, they are going to be much, much more attractive for consumers to do business with because they are going appear to be, they are going to be, not just appear to be, much more trustworthy and responsible right? And have surrendered entirely what is today largely an antagonistic relationship with consumers around personal data like companies are trying to figure out how to get more of it, and consumers are trying to figure out ways to keep them from doing it. When that kind of war ends and it turns into a trust based relationship with a mutual exchange of value on the part of the company and the consumer and both of them are getting benefits out of the consumers personal data, then you’re going to be at a great disadvantage if you’re operating in the old fashion way as an antagonist.
JD: Gotcha. Well, I think then that’s probably a good place for us to end this conversation and we’ll talk to you again Tim at a later date and learn more about the GDPR.
TW: Great, my pleasure, thanks, Jake.
You have been listening to another episode of Just Clarity. Produced by the team at Digital Clarity Group. For more information on the topics we discussed today or the subject of customer experience management, please visit us at digitalclaritygroup.com