"Data-Driven Thinking" is written by members of the media community and contains fresh ideas on the digital revolution in media.
Today’s column is written by Travis Ruff, chief information security officer at Amperity.
I am here to address the elephant in the in room: Companies need to stop trying to find ways around the General Data Protection Regulation (GDPR). It’s here to stay, and privacy laws will only become stricter over time.
What’s happened since May 25 follows the same line of thinking that’s caused so much tension in digital marketing: Instead of finding a holistic solution that respects consumers’ inherent rights to privacy and applies to everyone, companies are trying to get creative by attempting to identify European users within their systems in order to avoid penalties.
This approach is not only time- and cost-inefficient, it is also difficult to accurately accomplish.
It’s time to figure out a long-term plan. Building a framework only for European users is not sustainable. Companies must make their case for why individuals should share their data. People must be incentivized with real value — coupons, discounts, anything tangible.
Companies must be transparent about the benefits that individuals will receive. They must focus on how they can work most effectively within GDPR, because it is inevitable. Myriad other proposed privacy regulations will certainly come to pass.
Here’s what needs to happen.
Embrace a culture of ‘privacy first’
GDPR underscores the differences in privacy culture between Europe and the US. In Europe, privacy has for decades been a fundamental right, driven by citizens and enforced by the government. By contrast, privacy in the US is a newer concept that’s primarily driven by government, while citizens remain largely uninvolved.
However, this is starting to change. A recent outcry over the misuse of data by companies such as Facebook has shed light on years of questionable marketing practices, and people are demanding reform. California’s recently introduced Consumer Privacy Act is a small yet symbolic step.
But to make real progress, individual companies must take responsibility and examine their own internal cultures. Privacy must be given a seat at the table, and companies must have the desire to innovate.
Those that resist or simply fail to evolve will pay the price in consumer mindshare, government sanctions or both.
Build a framework for every user
Once the thinking is where it needs to be, companies must create a consolidated set of requirements, and not just to comply with GDPR. Companies must apply equal privacy standards across any country where they have a regulatory obligation. They should not, however, just give everyone a copy of every law and expect them to understand and comply.
Companies need to give their employees a single list of requirements and clear instructions for how to meet them. To do that, companies must first know their true current states.
They should start by documenting their current controls — business, process and technical. Those controls should be mapped to requirements. The control gaps must be assessed openly and honestly, with the associated business risks documented with each gap. Inevitable unmitigated risks must be communicated and used to prioritize investments of both time and money.
Current and future business initiatives, data use and other activities can quickly and easily be assessed against the existing set of controls and gaps. Some activities make compliance easier, while some make it more difficult; however, the change in risk and controls will now be known and the costs and benefits made clear.
Compliance is complex and getting more difficult every day. Those who fail to innovate and adapt by taking on the challenge now will undoubtedly fail and expend more effort later. Leading in privacy can and will allow companies to move faster and more confidently with new products, markets and opportunities.