On May 25, 2018, the European Union will adopt the General Data Protection Regulation (GDPR), a sweeping new law that holds businesses strictly accountable for the transparency and security of any consumer information they possess. For any company in the world that collects or uses consumer data, this could be a game-changer.
For CEOs and their C-suite, GDPR presents both a challenge and an opportunity.
The law’s stipulations will require many companies to significantly change their data practices. As of May 25, any enterprise that collects consumer data must ask for user consent in clear, simple terms and honor user requests to have their data erased by the company. Users also have the right to be informed of any and all use of their personal data by companies, and must be informed of any breach of their data within 72 hours of detection.
By codifying data protection rules and enforcing them with severe penalties (fines of up to 4% of a company’s global revenue or 20 million euros, whichever is higher), GDPR will require businesses to reimagine the way they handle consumer data, forcing many to make fundamental changes in order to meet compliance standards. And given that GDPR applies to any company whose website interacts with even one EU resident, its reach will be global. If found in violation, even companies who base operations and process data outside the EU will be subject to enforcement or risk losing access to all EU markets.
Today, every business is a data business, and the ability to collect, mine, process and analyze information is what separates companies that are positioned to thrive in the 21st century from those who are likely to fail. To date, companies have had wide leeway to plan their long-term strategy around the idea that data is easy to obtain, and extraordinarily valuable to own. Post-GDPR, data will be just as valuable – if not more – yet the cost and risk of acquiring it will rise substantially.
Rather than allowing government regulations to dictate procedural changes, CEOs can use the coming regulations to have a larger conversation about the nature of data collection and data security in the future marketplace, and to enact forward-thinking changes that look beyond May 25 to what the post-GDPR competitive landscape will look like long term.
Smart CEOs will recognize this opportunity to engage and build trust with their clients and customers on the critically important topic of accessing their personal data. Having an honest dialogue on data collection practices could garner invaluable feedback from customers while strengthening their relationship with the company.
Tackling data and privacy head-on is exactly the kind of leadership we need in the Age of the CEO Statesman, a major cultural shift in which people increasingly look to executives, rather than politicians, as change agents who will push for positive societal change and stand for a unifying set of public values. GDPR is a unique opportunity to meet the need for leadership. That’s why CEOs shouldn’t shy away from this controversial issue. The alternative – a reactive strategy that clings to old practices as long as possible – might be a tempting placeholder for more sweeping change, but this approach undersells the sweeping impact GDPR will have on the business landscape as a whole. And given the law’s severe penalties for non-compliance, waiting to enact changes until after it’s enforced is a luxury most companies simply can’t afford.