In the lead up to the EU General Data Protection Regulation (GDPR), marketers speculated about the regulation’s true impact. Organizations around the world divided into two distinct camps: The “wait-and-seers” and those scrambling to comply with the data privacy provisions being put into law.
Fast forward a year later, which camp was right?
Heavy on Complaints, Light on Fines
At first glance, the wait-and-see crowd seems to have been vindicated. While much was made of the GDPR’s potential fines and penalties (a primary driver for many of those who proactively pursued compliance), to date few organizations have suffered any. That is despite numerous complaints reaching EU authorities.
Fines from data breaches and privacy violations have been so few that, beyond Google getting a $57 million fine under the GDPR, infractions haven’t yet cost organizations serious money. This lack of consequences has many questioning whether efforts to shore up privacy and security were all for naught. Is the GDPR all bark and no bite?
The simple answer is no. Organizations that interpret the absence of fines as the GDPR lacking teeth should keep the following in mind:
- Investigating data privacy violations takes time. It’s not as simple receiving a complaint and imposing a fine a couple weeks later. Investigations require interviews with key players from the suspected organization and perhaps even an audit to determine if and how they were in violation. So, in short, the fines are coming.
- Moreover, the GDPR’s real bite isn’t in monetary fines but rather in the related reputational damage. Every complaint levied ought to be regarded as an unhappy customer. If customers can’t trust a company with their personal data, how long are they apt to remain customers? Consider that a quarter of Americans deleted the Facebook app from their phones in the wake of the Cambridge Analytica scandal, according to a Pew Research Center study.
Put in a more positive light, research by Columbia University found that three in four consumers are more willing to share personal data with brands they trust. Such information, when used appropriately, helps companies better serve their customers and build further loyalty.
The Path Forward
For the sake of their brands, and to avoid the fines that will eventually result from violations, it is time for the GDPR laggards to embrace compliance. Organizations across the compliance spectrum would be wise to evaluate their current data governance programs and adjust to the realities of tighter privacy controls. It will take work. It will cost money. But becoming GDPR compliant is the right thing to do—and customers will reward them for it.