Privacy update: accountability for your data practices. Honesty enforced
Privacy update: accountability for your data practices. Honesty enforced

The General Data Protection Regulation, or GDPR, has been a catalyst for change not only in the EU, but also in the US for quite some time, subjecting organisations to difficult and intrusive process reviews to get a handle on what data they collect and how it is used. That information, however, is merely baseline information and while the stated aim of this massive EU data protection regulation is to give control over personal data back to its owner, the individual, the spirit of the GDPR will require organisations to re-think their relationship to data and build a new data strategy and construct, modelled around transparency and collaboration with the consumer.  If an organisation can grasp and find a way forward with that knowledge, then it will transform the way business is done. A transformation that is akin to Apple's positive and systemic disruption of commerce.

The beauty of the GDPR is found in its imperfection, namely in its stubborn refusal to be prescriptive about new data practices or technologies; and it's this blatant middle of the road stance that is driving so many privacy colleagues crazy. Many of them lament that the GDPR doesn't just say what they have to do to comply.  They see shadows and ghosts lurking behind the trees in the dark.

However, I believe  this same murkiness offers opportunity, huge opportunity.

Hear me out because I think the GDPR is actually just the beginning of an emerging shift in how business is done, and we will see new business constructs being built around transparency, new technologies, and just in time, meaningful consumer participation.  

There is a level of rhetorical elegance in this data governance law buried so deep it is easy to overlook. The essence of the GDPR is simple: Do what you say and say what you do. This ethos, already personally familiar to us all, provides guidance to the business community toward a principles-based approach to data that also will necessitate fresh thinking about how data is collected and used.  I am hugely optimistic that new business models, centered around transparency and real-time and meaningful customer engagement, will emerge.  Process change is just the beginning, but more interestingly we will see new technologies and use-cases being born and blossom that we can't yet imagine.  Business is about to change in a very big way, much of it will utilise bio-metric technologies for just in time notice and to verify real-time user consent to use her data right now.

It's easy, though, to sit here and pontificate.  I'm great at gazing into a crystal ball, but the stark reality is that corporations don't usually change their business practices or models unless they are forced to, usually under the threat of imminent financial pain in the form of litigation, regulatory enforcement, or brand damage. In this case, the data shift is beginning because of the GDPR, but it won't end there. Interestingly, the GDPR is also forcing other countries, such as Argentina, to take a fresh look at their own national privacy laws and revise them to be in closer alignment with the GDPR.  Others will also follow suit in short order, and we will soon discover the commonality in all of the revised national privacy laws with the GDPR is the transparency component: Do what you say and say what you do. If I let the cynical New Yorker in me slip out, a different way of saying this is that honesty will become the law.

Back to the GDPR, though and given the massive energy and costs presently being spent on the regulation, the baseline information gleaned can be and should be re-used to also comply with both the letter and spirit of the revisions coming to national privacy laws around the world.  Creating and establishing a principles-based approach to data, one that also complies with the specifics of the GDPR, will serve an organisation well as it looks to increase its footprint in other countries and comply with those respective laws.  The GDPR is not the end, my friends, it is merely the beginning, and if thought through at the front-end, can be the foundation for a new data strategy and construct modelled around transparency and consumer driven collaboration.  The companies that figure this out will be transformative for their industries and will lead us all well into this century.

Contributed by Todd Ruback chief privacy officer & VP of legal affairs at Evidon Inc

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.