Global Business: Rewriting the Rules

By Scott G. Stephenson

It’s been described as a consumer’s Bill of Rights as well as a massive potential minefield for companies doing business in Europe. GDPR, the acronym for General Data Protection Regulation, is making a strong and historic statement on where the European Union believes the walls stand to protect its residents’ data privacy.

And while GDPR has taken data compliance to a new standard, garnering headlines, corporate attention, and public debate, the old rules of data—even where they existed—are being newly written.

GDPR isn’t taking effect in solitude. A wave of initiatives is unfolding in China, not only for cybersecurity but for data privacy, with voluntary privacy standards in play for protected personal or sensitive information. Similar conversations and regulations are underway in Russia, which may be moving toward a more rigorous set of rules not unlike GDPR. In the United States in 2018, all 50 states have enacted some form of data security or privacy regulations, although generally not yet to the same standard as GDPR.

My perception of data privacy regulation is that it can bring value by providing direction to a foreign-based company. I view it as an encouragement guiding what businesses should be doing anyway: becoming better data stewards.

Moreover, the only way to keep data assets secure is to be operationally effective; generally, that’s a subset of a well-run company. Operationally effective equals good methods for dealing with data. So, regulations such as GDPR are an incentive to move in that right direction.

Before GDPR took effect in May, companies worldwide geared up for compliance, raising questions about how best to move forward without incurring potential penalties that can reach 20 million euros or 4 percent of a company’s revenues. In sum, the sweeping rules appear to value data much the same as any physical asset. European consumers now have the right to be informed when their data is collected and must be told about the purpose of any data collection. Other aspects include an option to delete personal data (also known as the “right to be forgotten”) and the right to object when personal data is used for marketing or other purposes.

The immediate challenge for global companies will come in mapping GDPR’s walls and not colliding with them. Make no mistake, however, GDPR applies to any company that stores or handles personally identifiable information (PII) of EU residents—and it doesn’t matter where the data is processed or the location of the processing company. Think of the implications for businesses such as airlines, banks, insurers, and manufacturers dependent on global supply chains.

Extensive legal scope

On the immediate horizon looms the issue of data localization. When can a company move data out of Europe, and what kind of permission is needed? Closely attached are issues of consent and precisely who needs to obtain that consent. To give some idea of GDPR’s reach, under the new rules, even an e-mail address from a business card is considered protected information. That suggests the scope of protection is extensive and includes an individual’s location, race, political opinions, health records, philosophical beliefs, and union membership, among other data.

For businesses, a company’s supply chain raises further serious questions. GDPR isn’t just about what an individual company does—it also involves business partners, contractors, clients, and others in the third-party vendor management world. Do partners have access to your systems? Does a company transfer data to its partners? Is that data tokenized or encrypted, or is it free text in which they can see dates of birth? And then the larger issue of compliance: How does a company monitor use of its data and systems?

In all likelihood, compliance will probably take different forms across industries, products, and services. There may be efforts to “customize” compliance responses, even as the foundations of GDPR—its policies, procedures, and training—become more universal.

Privacy’s silver lining?

Beyond the challenges for businesses to adjust and comply, where are GDPR and similar regulations leading? There may be a silver lining to this cloud of data. For example, there are indeed benefits to more careful handling, transfer, and storage of data. It’s almost certain that many companies will consider security when designing IT systems as well as when reviewing security of existing systems. It’s also likely that some companies may become “leaner” with their data. Why collect 47 data points, for example, when a given product only requires 10? Collecting more data only means there’s more data to protect. Products and services should become more efficient in terms of data used in order to reduce risk of data misuse—and that’s not a bad thing.

No doubt, insurance coverages will soon appear to help offload some of this data risk. Some coverages already exist to help cover issues such as notification in case of a breach. (As it happens, GDPR does require notification after a breach, but only if the breach represents an unusual risk to the victims’ rights and freedoms.) Coverages are also available for credit monitoring and the legal fees of victims whose data has been stolen or misused. Further, there are coverages for forensic analysis to investigate a breach or hacking and help repair the damages.

Reputational harm may be another matter. For a company that fails to comply with GDPR or other data regulations, how can damages be calculated from something like loss of a client’s trust? That last question may keep more than one chief executive officer or chief privacy officer awake at night. It’s possible that concerns about reputational harm may lead companies not using PII to become GDPR-compliant nevertheless. Stating this another way, GDPR compliance may become a “seal of approval” for a majority, regardless of whether a company is doing business in the European Union.

In this sense, compliance with GDPR and similar rules may soon become a gold standard that reflects a company’s respect for its clients and business partners, in addition to showing a cultural sensitivity for the laws and concerns of individuals and countries. For those companies that embrace it, such compliance might even promote a reputational gain and provide competitive advantage over those slow to comply.

Scott G. Stephenson is chairman, president, and chief executive officer of Verisk.