Daragh O Brien has a message for companies as the European Union's May 25 General Data Protection Regulation deadline approaches: GDPR is your friend. As head of the Castlebridge consultancy in Dublin, O Brien leads efforts to bring information quality and data governance to bear on data issues, including the issues of data privacy highlighted in GDPR. As a longtime advocate for information quality, he does not, in his words, "come to this party new."
The GDPR legislation is meant to give consumers more transparency into corporations' use of their data. The regulation requires that consumers expressly consent to how their data is used and allows them to request that personally identifiable data be erased. As the GDPR deadline on compliance nears, organizations are obliged to set up processes to show good faith in meeting the requirements. It affects not only European companies, but also companies doing business in Europe, and violators of GDPR requirements could face hefty fines.
In an interview, O Brien said that yes, GDPR's view on privacy rights places new attention on how companies handle data. In his estimation, though, that's a good thing.
If I am part of a company, let's say, in San Diego, what should I be doing? The GDPR deadline is looming.
Daragh O Brien: The law is currently in effect. But we are in the sunrise period at the moment. On the 25th of May, the law comes to be enforced. If you are a company headquartered in San Diego, for example, the first thing I'd say is, don't think of this as a regulatory burden. Think of this as an opportunity to create something valuable for your brand, where you can differentiate yourself from your competitors. Then think about your core processes. What are you doing with customers, and what core information are you recording to do that? Then write that down.
Then write down the basis under which you are using that data. Is it about, say, fulfilling a contract, or because of legal requirements under a tax law? Then, you might want to look at your transfer mechanisms for transferring data across borders. Are you going to create privacy fields? Are you going to build something into your contracts with customers? But first and foremost: Don't think about just serving the European market to a higher standard. Think about serving all your customers to a higher standard.
The EU's work on GDPR seems to spring from a very different worldview than that of U.S. companies also facing the GDPR deadline. Why is that the case?
Daragh O Brien CEO, Castlebridge
O Brien: In Europe, we view data as part of the person. In the U.S., particularly in the last 30 years or so, data has come to be viewed as currency. That is, something involved with the exchange of goods or services. Whether the latter is a valid model or not is something that history will tell. In Europe, we recognize that issue more clearly than the U.S. has.
Still, GDPR in Europe is a case of evolution rather than revolution. The underlying principles of GDPR are not new. They have been the law for over 30 years. This is simply a clarification, or a restatement of fundamental principles.
Privacy rights like those focused on in light of the GDPR deadline seem to have come to the fore as social networks monetize user data. In Europe, Facebook's operations have been a special matter of controversy. Why?
O Brien: If you look at Facebook, since they launched in Europe, they have been subject to criticism by regulators and by privacy activists. It's about their business model and their way of operating. Just recently, they have been cited for making changes to their policy without having the appropriate transparency about the changes, because they were setting things up to a default opt-in, rather than leaving a meaningful choice for the individual.
So often, it appears that, if you want to play in Facebook's farm, you have to pay your toll to the farm manager. One of my colleagues likens it to the mining communities in the gold rush, where miners were at the mercy of the company store. You can use Facebook, but they know all of this about you -- and that they can change their privacy settings at their whim. What Facebook is finding in Europe is that they are running up on fundamental principles of consumer fairness and privacy rights that are ingrained in European law. We are also seeing consumer kickback in the U.S.