Regulatory sanctions, even though potentially hefty, may be the least onerous result of not being fully GDPR compliant. A bigger negative would be loss of consumers’ trust, especially those who are data-savvy activists, about a third of whom are Millennials.
A Capgemini survey released May 17 received much attention with its finding that 85% of companies surveyed would not be ready to meet the May 25 deadline for full compliance with Europe’s General Data Protection Regulation. Though the consulting and technology firm did flog that headline-grabbing number, the full story wasn’t really about compliance or lack of it. Instead, there’s the significance and opportunity that data protection presents for companies that embrace it.
GDPR was created by an act of the European Parliament and applies to data of all individuals living within the European Union or the European Economic Area.
Nothing like this before
Capgemini EVP of Capital Markets and Banking Sankar Krishnan says in an interview that he believes the percentage of noncompliant companies now, compared with when the survey was conducted in late March/early April would probably be around 60%-70%. Further, he believes that the lack of readiness is not an indication of no readiness, but rather of complete readiness. Consequently he personally believes that there is unlikely to be an early rush of fines, unless a company were completely lackadaisical about the rules.
“There’s really been nothing like this before,” Krishnan says about GDPR. “It encompasses everything and the rules just say be ‘reasonably compliant’.”
He believes most organizations have good controls regarding data protection, but that the challenge is to address protection of virtually every piece of data that exists in the cloud, with vendors, in cookies, etc., in the same manner as is done with Social Security numbers, or even better than that. He believes it will likely be six to eight months before compliance is complete.
“The letter of the law was full compliance by May 25,” says Krishnan, “but as a practical matter, my personal view is that the regulators’ approach will be, ‘Do you have a process in place to monitor the data and make sure the data is protected, and are you able to react to a data breach?’”
Krishnan believes those fundamentals are in place for most companies, and so there may be some fines, but not on a widespread basis. “Most times, they give you a window,” he says, referring to the regulators. “But a failure to protect data will land anybody in trouble.”
An interesting finding of the Capgemini survey is that U.S. companies, which represented 15% of the companies surveyed, had the highest percentage reporting “Largely or completely compliant.”
Krishnan believes that’s because U.S. banks and other companies have already had to pay fines related to privacy and data protection and have been hacked, so they have moved to address the issue. He also says that U.S. companies are more global in nature and so the larger ones, at least, take GDPR very seriously.
“Perfunctory” misses a lot
The report presenting the Capgemini findings is entitled Seizing The GDPR Advantage—From Mandate To High-Value Opportunity. As the introduction states, “In this report we look beyond the compliance side of GDPR and uncover the latent opportunity that can help organizations gain individuals’ trust and competitive advantage.” It points out the pitfalls of treating GDPR simply as a regulatory exercise. Even so the firm found that half the organizations surveyed are taking “a perfunctory approach” to the new data protection regime.
In surveying 6,000 consumers across seven European countries, Capgemini backed up its belief that GDPR is an opportunity.
It states, for example, that “When consumers are convinced an organization is protecting their personal data:
• Nearly half—49%—would share their positive experiences with friends and family.
• 40% have transacted more frequently with the organization.
• 39% have purchased more products.
• 39% have increased spending—as much as 24% more.
Protect advocates (or they’ll ditch you)
Capgemini’s research identified three levels of consumers in terms of GDPR expectations:
• Data-indifferent consumers (45%). These are unaware of what GDPR means for them and indifferent to data privacy standards of organizations they deal with.
• Data-engaged consumers (34%). Consumers who expect above-average compliance standards.
• Data rights advocates (22%). Consumers who expect organizations to go the extra mile on personal data security and privacy. Such consumers will strongly promote organizations that do this and punish those that don’t. The survey found that 55% of this group will reduce their spending with organizations they see as non-compliant compared with 37% of all other consumers.
However, the advocates also reward companies with higher data standards: 48% will increase their spending with such companies by up to 18% on average.
About one third of the Data Rights Advocates are Millennials, Krishnan points out, who deal with digital all the time and expect very high compliance.
“Considering that the Millennial generation has 80% of the spending power,” says Krishnan, “no one wants to alienate this group.”
Close the gap
On average, 80% of executives surveyed by Capgemini believe that consumers trust organizations with the privacy and security of personal data. By contrast, only 52% of actual consumers express such trust.
Asked about that perception gap, Krishnan feels it’s because CEOs are relying on earlier research on consumer trust that didn’t specifically address data security. The issue is now front and center, however, thanks to numerous data breaches, Facebook headlines, and the general knowledge that with digital technology much of peoples’ lives is captured and stored and used by many organizations. Even the term “dark web” has become common parlance.
Given all that, consumers are increasingly saying, “I’m going to go with institutions I trust,” says Krishnan.
They will pull their data
As depicted in the chart below 57% of the surveyed consumers will take some action when they find a bank or other company they are dealing with is not ensuring protection of their data. The actions can include “porting” data or erasing it or simply stopping doing business with the company.
Source: Capgemini Digital Transformation Institute GDPR Individuals Survey, March–April 2018
The survey probed more deeply into the issue of trust, seeking responses by various categories of organization. For banks the good news in the chart below is that they had the highest trust score (67%) among consumers, far ahead of internet companies such as Google and Facebook and e-commerce giants such as Amazon and Alibaba.
The likelihood of consumer requests for deletion of data vary quite a bit, as shown in the same chart, ranging from a high of 69% for physical retailers to a low of 45% for nonbank digital payment providers. Banks were on the lower end here at 49%. Again, only European consumers were surveyed.
How to build customer trust
The final section of the Capgemini report dealt with steps companies can take beyond simply complying with GDPR to win customers’ trust and loyalty. The report authors emphasized in particular the need to better understand the profile of the Data Rights Advocates. Though comprising only about a fifth of the consumer population, they have an outsize impact.
The chart below measures several specific initiatives companies are taking, or considering, to help gain consumer trust and how consumers view these initiatives.
As the report points out, the GDPR regulatory framework does not mandate the approaches shown in the chart, but they represent ways that companies are helping consumers exercise more control over their data.
For his part, Sankar Krishnan strongly believes that GDPR over time will help make the world a better place given the many threats to data security and privacy. He gives credit to the European Union for pushing the regulatory framework forward. Over time, he says, “it will make a lot of us feel better.”