In our first Citi GPS report on ePrivacy and Data Protection (Who Watches the Watchers?, March 2017), we highlighted that the focus on data privacy is on the rise and forthcoming changes to regulation in the European Union (this year), will fundamentally alter the risk/reward of using data and, with it, alter the perception of the long-term opportunity from data.
In this follow-up GPS report, with Europe’s General Data Protection Regulation (GDPR) less than a month away, we consider how prepared consumers, corporates, and regulators are for the tightening regulatory landscape. More broadly, we consider what the potential implications could be as we move from an environment where organizations have become accustomed to untrammeled access to data, to one where data minimization and transparency presides, consumers are empowered to take more control of personal data, and organizations are forced to think carefully about their use of data. To investigate this we surveyed those involved in implementing the GDPR across a range of organizations and conducted a series of interviews with industry experts from Telefónica, Schibsted, Zalando, and specialist consultancies.
The majority of companies believe they will have to change how consumer data is used which brings with it rising costs (i.e., of compliance). Trust plays a fundamental role and unless consumers believe the value trade is beneficial, access to personal data could fall as consumers are prepared to use their enhanced rights. The application of the regulation (unintentionally) favors those closest to the consumer and large companies vs. small companies. Murky data supply chains are set to see a shakeout. Advertising funded models have been one of the key planks supporting the Internet’s development and the online advertising industry appears to be right at the heart of the challenges that regulation presents. As one survey respondent commented: “The range of plausible outcomes includes total destruction of the online ad ecosystem in Europe all the way to a minor blip.”
Companies claim to be well prepared for the EU regulation change. The 25th of May is D-Day, when the regulation will come into effect, but this is not going to be the end of the process. In fact, it may well be the start of a step change in the approach to data protection regulation globally. We worry corporates and investors are being complacent about the risks.