"Nothing." That is my honest answer to the (now well-worn) question: what should we do as a company to be ready for the GDPR legislation? So nothing? Nothing. Or at least that's what I hope. Because anyone who is building lasting relationships with customers, employees, users and other stakeholders already should know that what is dictated by GDPR is obvious.
Either you are already on the right track. In which case: congratulations. Or a radical change of course is required. And by that I don't just mean tinkering with a privacy statement, hidden away somewhere at the bottom of your website.
“Why a change of course?” I hear you thinking. Let's just zoom out from this apparently legal matter and talk about something that many CEOs are more familiar with: the mission of his or her company.
According to Facebook, its mission is "to bring the world closer together". Well worth pursuing, and I don't doubt that the many examples that Mark Zuckerberg gave in the European Parliament illustrate this noble goal. But lately, Facebook has been mainly associated with misleading the public, polarization and what can be described as the biggest wave of mistrust ever.
At the moment, no one knows exactly how much damage the Cambridge Analytica scandal has done to Facebook. But damage? It has certainly happened. Reputation – that intangible thing which gives you the legitimacy to run the business and so achieve the company's mission – is incredibly unfair: it takes years to build but can be destroyed in a moment. One false move and you are back to square one. As long as it's just words, a company's mission is actually nothing more than an empty promise.
And that's a shame. It undermines the credibility of company missions and fuels mistrust, and all this when authenticity is in fact becoming more important than ever.
Clicking “I agree” is not new
So now to GDPR. I think it is a moment of truth for organizations that acquire a lot of personal data. Strictly speaking, this is new legislation. A matter of “just calling the lawyers”. But there is a fine line between what you are allowed to do – the letter of the law – and what you ultimately decide to do.
This is mainly about very practical choices, with real consequences. What you do not want, for example, is users feeling that their privacy is being violated, even though they may at some stage have given their permission in an incomprehensible document.
In a recent study, Boston Consulting Group (BCG) calls this “data misuse”: the legal use of personal data which is perceived by consumers as, at best, unpleasant.
What does this mean in practice? You may also be irritated by algorithms that – though anonymously –analyse your e-mail traffic in order to show you adverts for rental cars or holiday homes for your next travel destination. That is the whole point. Consumers are getting tired of this. In the same study, BCG indicates that in times of growing distrust, continued misuse of data can lead to revenue declines of 10 to 25%.
So legal is not necessarily OK, which of course we understand. But even if we think we have good intentions towards our stakeholders – think again. Bloomberg recently noted that when tech companies think they are informing their users they are in fact confusing them. Users lose track when the same passage of the terms and conditions of use refers to account settings, privacy settings, notification settings, and application settings (complete with accompanying URLs) – all of which are being updated.
What is expected from the user? That he or she understands the difference between all these things, and looks into everything in detail – and probably even from a mobile device? Legal? Yes. Reasonable? Hardly.
GDPR is not about updating all your privacy documents and e-mailing these to your users to get them to click "I agree" as quickly as possible. We already did this before, and there was little benefit to users. What does help is explaining to customers in their own language what you do with their personal data, and that this is in their own interest. The other way out – if you cannot make such a claim – is to adapt your practices.
Better safe than sorry
If an organization nevertheless runs into difficulties with a violation of GDPR, then the fine (4% of the revenue for large companies) is actually the least of its worries. In the case of Facebook, a fine based on their revenue from 2017 would amount to no less than $1.6 billion. Even though this is hardly peanuts, the reputational damage is even more serious.
For example, during the Cambridge Analytica scandal the stock market value of Facebook was hit hard and lost $100 billion, but it has since recovered. However, there will come a day when users will have had enough of the phrase "If something is free, you are the product" and Mark Zuckerberg's many apologies as an excuse for continuing to let their privacy be abused.
So the priority for organizations should not be to avoid fines, but to maintain their integrity. After all, the application of GDPR says everything about how organizations regard their stakeholders. Are their interests a priority or do they simply fade into the background?