May 25, 2017
It's May 25th, and if you've been following along with our published research, you know that today marks a very important milestone: you have 365 calendar* days to bring your organization into compliance with the EU's General Data Protection Regulation and the as-yet-unfinalized (!!!) ePrivacy Regulation.
I spoke with Victor Milligan and Jennifer Isabella, the hosts of Forrester's What It Means podcast, about GDPR this week. We went deep on the regulation's implications for all multinational marketers, and how to break the inertia so many firms are experiencing around preparedness. Have a listen here, or download it from iTunes (or your favorite podcast app):
But there is one major issue that we didn't really get to cover that I want to discuss here — firms that fail to prepare for these new privacy laws will be the ultimate weak link in their organizations' supply chain, and will put critical business relationships at risk. Consider this:
- Data processors bear joint liability, so they won't work with you if you aren't compliant. This includes vendors like cloud service providers, marketing technology vendors, agencies, and more. If your firm fails to collect, manage, and handle European subject data in accordance with GDPR and ePrivacy, why should they expose themselves to a massive fine in order to win your business? Many of these vendors are already on the path to GDPR readiness themselves, and as they hire data protection officers (DPOs) and run their privacy impact assessments (PIAs) they'll be reevaluating their risk tolerance as it relates to clients, too.
- And if you're a non-compliant data controller or data processor? Prepare to lose most of your multinational customers. These clients simply won't have the luxury of choosing whichever vendor they prefer from a Forrester Wave anymore — their DPOs and CISOs are going to require that every vendor that comes in contact with any customer data — from device IDs to social security numbers — is compliant with GDPR and ePrivacy. The requirements will be written into every RFI and RFP by the end of this year, and your firm better be able to check that box (pun intended!).
- Finally, if you think GDPR doesn't apply to you, think again. Sure, some North American firms are betting against extraterritorial enforcement, and have decided to maintain the status quo of data collection and use. We think that's a huge mistake. First of all, North America and Europe will always be important trade partners, as evidenced by the frantic negotiations to replace Safe Harbor last year. Second, the Congressional overturn of the FCC's privacy rules has inspired a spate of State legislatures to draft their own consumer privacy laws. The global tide is turning towards better protections for consumers and their data — every firm, irrespective of its geography, should be using GDPR to future-proof its data practices, and bring them in line with regulator and consumer expectations.
*It was pointed out by Daragh O'Brien on Twitter that this means there are 261 WORKING days, and that's without accounting for public holidays.