GDPR and Data Integrity and Governance
On May 25th, 2018 the EU enacted the new General Data Protection Regulations (GDPR). Now, one year on, the tentative returns are in. So what does this mean if you’re in the business of cloud transformation and responsible data deployment? GDPR put a spotlight on data integrity and governance. The new regulation allows consumers to opt-in or opt out of data collection and sharing when they register for websites, apps or browser usage. GDPR also gives consumers the right to access their data, object to it being processed and used by a company, and to have it erased if they wish. To stay GDPR compliant, companies doing business in the EU (and soon, the US) need to make absolutely sure that their data is intact and governed. Violations are met with steep financial consequences.
GDPR Penalties for Non-Compliance
The European Commission has been notified of over 59,000 breaches in the past year. According to the European Data Protection Board, 206,326 cases were reported by supervisory authorities in the first nine months of the GDPR’s application. In the same period, supervisory authorities in 11 countries issued administrative fines totalling €55,955,871. The vast majority of that total is the €50 million fine France’s CNIL issued to Google in January 2019.
Breaches continue despite a substantial decrease in overall data usage and data used for marketing purposes by businesses all over the globe. For example, as a result of the GDPR, the use of tracking “cookies” in the UK have dropped 45 percent.
Who Does the GDPR Apply To?
Hybrid cloud databases are affected by GDPR regulations. Data from the EU will feed the cloud and on-prem databases of any eCommerce company and, by turn, any company that works in that ecosystem. For example, suppose a French apparel retailer is working in a hybrid cloud database full of consumer data from its own stores as well as aggregated databases.
GDPR In Action
Now let’s say that the retailer wants to launch a digital marketing campaign that targets women aged 55+ in the top ten income bracket.
Pre-GDPR, that company could query its hybrid cloud for the exact data report and then use the results to target consumers with email or retargeting campaigns without explicit permission. Post-GDPR that practice is illegal. Today, companies must ask for and receive explicit permission to use any personally identifiable information (PII) and are prohibited from using it if they don’t have this. If permission was given at one point, they need to know if that permission has been revoked.
Most companies continue to create policies and infrastructure to account for the GDPR regulations. Virtualizing data is the most important part of those infrastructure changes. It strips formatted data down to its basics (metadata) and avoids copying, moving and manipulating PII. If data is virtualized, it is anonymous, secure and tracked directly to its source. Virtualized data is automatically compliant with the GDPR.
The EU Data Economy Has Taken A Hit
It’s much tougher to do business of any kind in the EU, especially if it involves aggregating or sharing data. According to Mediapost, EU technology firms have suffered double-digit declines in venture funding relative to U.S. companies since GDPR took effect. Specifically, there has been a 17.6% decrease in the number of EU venture deals and a 39.6% decrease in the dollar amount per deal following GDPR implementation. Startups have been hurt the most. For companies three years old or less, there has been a 19% decline in the number of deals. Add to this the cost for US companies. A PwC survey of 300 companies that have EU operations found that 88% reported spending more than $1 million on GDPR preparations and 40% reported spending more than $10 million.
Among the companies that have stopped operating in the EU due to the GDPR: Roku, Xbox, Williams-Sonoma and Pottery Barn.
The GDPR Could Come to The US
Talk of a US federal privacy bill has been swirling since the GDPR was first drafted in 2016. California is already ahead of the game with the California Consumer Protection Act (CCPA.) It goes farther than the GDPR because it requires companies to stop “selling” people’s data upon request at any time. “Selling” is up for interpretation. It covers including “disclosing, disseminating, making available, transferring” personal data, and more. Many large companies don’t sell user data but they use it in programmatic ads, customized recommendations, and internal reports. An intermediary is not a vendor, says Facebook and other large companies. Pairing consumer data with algorithms is not against the GDPR. But the CCPA raises the issue of defining the “intermediary” that tries to pair up advertisers and consumers with complicated targeting algorithms.
Bottom line on GDPR to date
GDPR's anniversary has put a spotlight on two things: 1) Consumers generate less data as a result 2) The business cost is substantial for companies who don’t comply and presents a risk for those who aren't taking steps toward better data integrity. Those two forces will be at odds as the US discussion continues. However, even without strict regulations, the best way to enforce data integrity is through effective governance and compliance and a move to data virtualization as a means to achieve that.