Multinationals and any business or organisation with operations in the European Union or that targets individuals within the EU must comply with these new rules, irrespective of where they are based.
"All these laws and recommendations are in response to the exponential growth of data capture”
A further challenge for these organisations is the global regulatory landscape is not static. In fact, GDPR appears to be just the beginning of this new wave of data privacy regulation.
The penalties for not complying can be significant with fines of up to 4 per cent of global turnover, issued from any one of the 28 member states. Google recently felt the wrath of the French regulator with a $EU50 million fine for failing to provide an adequate level of granularity in consent around personalised advertising.
Over the last 12 months we have seen a raft of new legislation passed or proposed, all styled on the GDPR. Brazil and California have both passed law modelled on the GDPR while India and Thailand have bills pending which are very similar in flavour.
In Australia, the Senate passed a motion put forward by the Australian Greens calling for GDPR-styled legislation. In December last year, the Australian Competition and Consumer Commission released a Digital Platforms Inquiry draft report, with a number of the recommendations around data privacy very similar to the spirit of the GDPR.
All these laws and recommendations are in response to the exponential growth of data capture and the ability for big data technologies to process and use this data for commercial purposes. Most people will have all noticed the ‘creep’ factor increase in their daily lives – for example with coincidental advertising appearing in social media streams following a random Google search.
The Facebook-Cambridge Analytica scandal last year provided great insight into the use of personal data to influence individuals based on their personal preferences. This included targeting individuals who wore ‘Wrangler’ clothes as potential Republican voters while those who preferred ‘Abercrombie & Fitch’ were more likely to vote Democrats during the 2016 US Presidential election.
The GDPR is a response to this invasive use of data by ensuring an individual’s fundamental rights for data protection and fairness are central to the decisions and actions of the data controllers and processors.
Interestingly, large organisations like Microsoft and Apple are seeing enhanced data privacy in a positive light. They are driving a deliberate public message by their CEOs to argue for stronger and consistent data privacy laws globally.
Although the cost of compliance is significant, enhanced data privacy practices will ultimately drive a higher level of confidence from customers. Individuals should trust the data they provide will be held securely and processed fairly.
Banks are uniquely placed to strengthen this trust through an inherent focus on strong compliance and secure technology.
If data is the new oil, trust is the pipeline to enable this to flow in the interests of all.
Owen McMahon is GDPR Program Director, Enterprise Data Governance