- Design industry shaping loyalty programs
- Integrate easily and go live quicker
- Deliver hyper-personalized consumer experiences
Capillary acquires US-based Brierley+Partners Read more >
Capillary named a Leader in The Forrester Wave™: Loyalty Technology Solutions, Q1 2023 Report Read more >
By4 Min Read
May 31, 2018
Decision makers in the European Union (European Union, the Council & the Commission) reached an agreement in December of 2015 on something that they had been working on since 2012. This decision, as it turns out would have a major impact globally. This decision was to agree on a revised framework for data privacy, data ownership & data handling, which was meant to apply to EU & its citizens. The EU defined May of 2018 as the month when this new framework would become effective, something which had not been changed since 1995 [European Data Protection Directive (Directive 95/46/EC)].
The basic tenets of EU GDPR, or GDPR in short, are not really different from what is common knowledge, but what differs now is that it has been codified into a regulation, something which had not been done earlier. In this article, we will go through these basics & get to understand how GDPR is in fact very good for business in the long term.
This is a rhetorical question to begin with! Our constantly-connected world has increasingly become digital to an extent that now it is possible to live comfortably without having to ever step out of our homes. We can work remotely, order food from home, communicate with our loved ones digitally & shop online. There is barely any activity which cannot be performed online. This has increased the amount of digital footprint that our lives leave behind & the amount of data that is recorded, transmitted & generated about ourselves.
With this increase in digital information about everyone, it is meaningless, may be even unwise to ask why data security is important. In the pre-digital era, we would protect our offline assets, our house, our car, our paper documents, and our electronics; and in the post-digital era, when each of physical assets have been virtualized, it is expected that we need to protect our digital assets.
We do not ask why insurance is important for peace of mind of our family or why seat-belts are important for our safety or even why ensuring safety & security of our family is important! In same tone, we should stop asking why data security is important.
The European Union, when it took up evaluation of the European Data Protection Directive (Directive 95/46/EC) realized several logical flaws in data protection guidelines, principles & regulations.
Data collectors were effectively free to do whatever they wanted to do with it no matter who it belonged to, how it was stored, how it was handled, what was intended to be done with it. This freedom arose out of a lack of clear guidelines & boundaries, mainly since the then existing framework had not defined them well enough. This led to a culture of interpretation in manners that served their own business goals.
Another fallout of a weakly defined framework was that data collectors & data processors were unsure on exactly how data security should be implemented. While companies genuinely intended to protect their customer’s information, they were unsure about how exactly they should go about doing this. In absence of national regulations to guide them, internal policies ended up being undefined or under-defined.
And finally, a major consequence of the previous framework was that data privacy protection as a business activity became largely self-regulated. This created a conflict between business objectives & security objectives in organizations. Business objectives would frequently dominate over security objectives due a constant pressure on profitability. Many organizations which displayed clear intentions of upholding high standards of data privacy & security chose to adhere to frameworks such as ISO 27001, but without a regulatory mandate, it became a case of choice & not compulsion. The EU identified this gross failure & decided that self-regulation was clearly not the way forward.
There are several examples of global successes involving regulations making it clear as to what organizations are permitted to do & what they must avoid. Financial & Banking industry is one such case where it could not exist without such regulations.
In the domain of data security, which is a relatively newer field, Singapore’s PDPA & HIPAA from the United States of America are excellent examples. Governments of several countries have silently been working on setting up regulations which are strong enough to set up clearly defined boundaries & principles.
While news of a data breach are surprising, data breaches have had significant negative impact on several organizations. The most major impact that an organization faces when a data breach happens is a permanent loss of goodwill. They become examples of data security breaches. They get quoted, over and over again, in conferences, in discussions, during audits, in training programs. This impact takes a very long time to disappear. Some examples of major data breaches and their impact are listed below. These should make it clear that data breaches are usually very costly whenever they happen.
GDPR is legally worded & presented, but it is easy to understand its general principles. GDPR wants businesses to care about data security of subjects, have a sense about rights of data subjects, and enforce responsibilities of the Controllers & Processors who manage & work on the data.
Owing to the fact that the EU has spent significant time & effort in evaluating changing needs of data privacy & security, following which it came up with a robust regulatory framework, several governments internationally are changing their own Data Privacy & Security Laws to reflect elements of EU GDPR within their own regulations.
This in essence makes GDPR not a Europe-specific regulation, but an international one, although implemented & enforced by various Governments.
It is commonly believed within security circles that adhering to GDPR makes an organization automatically comply with most of global standards & regulations. This belief also extends to organizations & security professionals seeing a major change in how internet behaves.
Consumers in general are not against the idea of sharing their personal information with businesses. Rather they dislike it & react strongly if their trust is breached, which may be because an organization did something with their data which they did not consent for, or something that they did not expect an organization to do, or something that they clearly were opposed to when sharing their data.
And consumers are especially offended when organizations take them for granted & do something that undermines their value. This last point has been sufficiently proven by the worldwide outcry following revelations of how Facebook carelessly handed over data to Cambridge Analytica without consent.
Consumers also tend to become upset when their trust is implicitly breached when organizations do not implement adequate levels of security to protect their data and which eventually leads to a breach. In such cases, consumers are usually more forgiving, as long as the organization is genuinely apologetic & takes measures to improve their security. This case has played out several times as with Sony PlayStation, Target, LinkedIn & Equifax, all being major breaches due to lower standards of security. All these organizations followed up their breach with improved standards of security.
GDPR addresses all of these issues of consumer trust by making it mandatory for organizations to ensure that proper consent is obtained, data is handled exactly as indicated, data is never handled carelessly, adequate measures of security are implemented to protect data, control of data is handed back to consumers, & data is deleted when not required anymore.
As against earlier times, when organizations decided for themselves as to what & how they handle security, EU GDPR makes it mandatory, makes it clear & makes it explicit. Organizations have a ready set of principles on how to go about handling consumer data & what are the bare minimum set of things that they need to do while dealing with data.
Organizations do not need to self-regulate anymore. Adhering to GDPR makes it easy & makes it clear. This leads to a scenario where trust levels of consumers on businesses improve automatically. Consumers now know that organizations are adhering to a set of principles & this is why they will trust them more.
Trust is good for consumers & trust is good for business.
October 13, 2022 | 4 Min Read
64% of customers blame companies over anyone else, including
May 31, 2018 | 4 Min Read
Decision makers in the European Union (European Union, the C
May 9, 2017 | 4 Min Read
These days, most of us can’t go without the internet for e