Today we are seeing significant debates on free markets versus regulatory actions on a wide range of business topics ranging from electricity and net neutrality to health care and consumer protection. At times, it’s highly polarized, with reversals depending upon which party or body is in the majority.
In my last column, I stated that the General Data Protection Requirement (GDPR) is already being touted as “the most important change in data privacy regulation in two decades.” Going down the list of compliance checkboxes has improved security and privacy, but it has not yet fundamentally changed behaviors radically enough. We must consider the solution in the context of the markets and individual forces, each with its own priorities. As a CEO, I push my employees to think from the vantage point of the customer, partner, other departments or competing forces. That’s exactly where all parties need to start to negotiate in a diplomatic and fair manner the best, most practical privacy legislation.
In the case of data privacy, there are three stakeholders — businesses, government and consumers. Who will sort out all their factions, perspectives and needs? That’s where the new, mandatory position of the data privacy officer (DPO) comes in. Every major company needs an executive DPO whose goal is to find the most beneficial ground intersecting these groups.
Understanding What All Parties Need In The Privacy Debate
To be an effective diplomat, the DPO must look at all sides and respective scenarios that illuminate potential paths in today’s dynamic, technology-driven business environment.
Business — The Free Market
First, let’s consider what businesses want — economic success, money, growth and market share. Regardless of the ideals, without economic success, businesses cannot pay employees, build a product or service and will not survive. A free market works and is validated when no one competitor gets so big that it can control the market. Markets need enough regulations to keep competition fair.
But how much regulation is too much, and can the market regulate itself? In many ways, it depends on how transparent business practices are, so they can be ideally reported openly to consumers. Long before Mark Zuckerberg testified on Capitol Hill on behalf of Facebook pertaining to privacy issues with Cambridge Analytica, the free market, influenced by citizen outrage and driven by media coverage, was forcing a change in regulation at the company. When market forces speak, it’s in the best interest of the companies to listen. Cambridge Analytica filed for bankruptcy a week before GDPR went into effect, symbolizing the way market forces pressure industry actions before regulations do.
Government And Regulators
Government and regulators ultimately want stability, order and the funds to fuel programs. The direction can vary depending on political affiliations and doctrines. Some may feel that less oversight leads to business growth, while others may feel that less oversight encourages greed and manipulation of consumers and markets that reduces stability or revenue. Ultimately, good corporate data hygiene, service to customers and revenue are the goal of any party.
Government and regulators believe that economic incentives and penalties will ultimately be the stick or carrot to drive change — ranging from tax breaks and sector investments to fines, including the large ones imposed by GDPR. Governments are starting to realize that less friction in processes and red tape can be good for both citizens and the bottom line. The European Union claims that GDPR will save €2.3 billion per year across Europe, saying that by unifying Europe’s rules on data protection, lawmakers are creating a business opportunity and encouraging innovation.
Regulations do work. In 2008, the Troubled Asset Relief Program (TARP) averted a repeat of the Great Depression of the 1930s. More recently, the government also rescued the American auto industry. Ultimately, there needs to be pressure via penalties and incentives working together in the right mix.
The fulcrum between business and government is consumers or citizens. Until now, Americans had brushed off NSA surveillance and government access to digital data, thinking, “Who will go after me? I have nothing to hide.” Recently, there has been a significant change in the role citizens play in shaping the market and regulation around the internet and privacy. The Facebook/Cambridge Analytica scandal made people realize that their data is valuable — they are becoming more self-conscious about who is taking the data, why and to whom it’s going.
Consumers will help motivate government and businesses to become more collaborative. According to Gartner, by 2021, organizations who protect their customers’ privacy will generate 20% more revenue than those who don’t. For corporations, what is viewed as a necessary evil will become a competitive advantage.
Data Privacy Officer’s Diplomatic Role
I relate the DPO’s role to that of a newspaper ombudsman, but more proactive. Ombudsmen investigated complaints in reporting, or openly reported errors and corrections. They answered to editors, publishers and regulatory or legal requirements around libel or slander. They found the “fair” ground, sometimes completely in line with a complainant or the paper, but often somewhere in between.
When it comes to the internet and data privacy, the DPO is that critical liaison to establish best practices in an ever-changing internet landscape. Since the EU’s adoption of GDPR, demand for DPOs has been steadily increasing. The DPO will work with officials to create regulations that makes sense for all parties, determining what is personally identifiable information (PII) in the mounds of data within an enterprise, finding a way to protect the data at all times to reduce the risk of being fined, monitoring regulatory updates to inform companies, training employees on privacy regulations and the procedures necessary for compliance and assisting companies on system audits for compliance with data privacy laws.
Like the ombudsman, the DPO is the internet’s new diplomat who can offer a treaty for privacy in the internet age and help implement the processes and technologies to enforce that treaty.