By William Ball
If you’ve not heard the term ‘GDPR’ before, it stands for General Data Protection Regulation, and it’s a new European regulation on data protection, due to come into force on 25th May this year. It replaces the current Data Protection Act (DPA) and is aimed at enhancing data protection for all of us in a new and fast-moving digital and social media era.
Any organisation providing goods or services to, or monitoring the behaviour of, individuals in the European Economic Area (EEA) will be affected, as they will be processing an individual’s personal data. This means GDPR affects many global companies, such as Amazon and Google, even if their head office is not based in Europe.
GDPR is all about the customer
To get an appreciation of how GDPR will affect companies, think about it in the context of you, as a consumer.
Unless they have a legitimate reason to do so (such as the administration of your account), companies will no longer be able to send you an email, unless they have explained why they wish to contact you at the time they collect your data, and you expressly give your permission for them to do so at that time. They also won’t be able to ‘profile’ and target you based on marketing assumptions.
The current data protection rules don’t go this far, so many companies won’t have the right customer permissions in place to send promotional emails after the 25th May deadline. (Interestingly these rules don’t affect postal mail, so you can expect an increase in letters through your door!).
Companies will also need to justify the data they hold for their customers, and if they don’t need it, they must destroy it. As a customer, you have various rights, such as the right to be forgotten, the right to object to data processing and the right to see the data a company holds on you.
The risk to business
All of this has a significant effect on the advertising and marketing capabilities of businesses, not to mention the cost of tidying up their data and modernising their IT systems. If they don’t get it right, they could be fined up to 4% of annual global revenue, or €20 million – whichever is greater.
Of course, fines will impact some businesses more than others. Compare Microsoft and Equifax - in both cases a fine would amount to approximately 1% of their market capitalisation. Assuming operations in the past fiscal year, the maximum fine for Microsoft amounts to around 10% of their cash flow, but for Equifax it would amount to 43%.
So, for some companies, the financial incentive to get this right is slightly less significant than for others. But large companies are not immune to the effect of negative PR, and the impact that can have on their brand equity and, ultimately, their bottom line. Just ask Mark Zuckerberg of Facebook, who saw $95 billion wiped off the value of Facebook shares in a just over ten days, and could be counting the cost of that data breach for some time to come.
When it comes to significant regulatory change, investors should primarily be concerned with how GDPR may (or may not) change the fundamentals of the businesses they’re invested in. We think it should ultimately be a good thing for companies, assuming they abide by the rules. It will protect them from future data breaches and, particularly for technology firms, it increases the barriers to entry and costs for new competitors to enter the market.