Recently I’ve had a real spike in calls from people I advise. Those serving as Chief Executives or as members of boards that operate internationally have getting their head around GDPR. Some feel like they’re tilting at windmills.
The General Data Protection Regulation, GDPR for short, has many local names in the various countries it is being implemented. But the idea behind does not change depending on which language it is in.
Now, it should be said that Data Protection is not my core area of expertise, but that’s what happens when you’re a trusted advisor: people turn to you as a sounding board. Why? Because a strategic advisor can help you clarify your thinking – and also identify when to seek out other / additional specialist advice. In other words, my role in this context has been more about helping people think through the right questions to ask.
Before we get into that, let’s focus on what I think is the core idea (hinted at above) within this regulation…
The Golden Rule
The G and R in GDPR could arguable stand for Golden Rule. It is a timeless concept crossing many cultures, and here are just three quotes bringing the idea to life:
“Avoid doing what you would blame others for doing.” – Thales (c. 624–546 BC)
“What you do not want to happen to you, do not do it yourself either. ” – Sextus the Pythagorean
“Do not do to others that which angers you when they do it to you.” – Isocrates
You can find many more on the extensive Wikipedia article dedicated to the Golden Rule.
With that overall ethos in mind, I thought I’d share some of the questions my clients have found useful.
Three strategic questions for CEOs and board members
- Can I explain to others, in simple terms, how we use personal data in our organisation? You might not be Zuckerberg, but you’re still expected to know the answer – even if you’re not invited to a US Senate hearing; or indeed the European Parliament and live-streamed across the globe.
- Turning to the person next to you in the boardroom – and on the front line: Which, if any, of our current data handling practices make you uncomfortable? If something makes you pause and shift in your seat, then it probably isn’t right. Speak up.
- Longer term, is the Golden Rule articulated in our company vision, mission and values in a way so that both I and my colleagues (from boardroom to front line) can draw on it to inform decisions? This will help you with GDPR – and also much more broadly. You may also want to explore whether to have an explicit Code of Ethics to help guide activities.
And a quick tactical risk – which can have strategic implications
One person who called said:
“[I’m a Chief Executive and] I go to a lot of events, trade fairs and forums. I go through business cards like there is no tomorrow. When I get back to the office my personal assistant enters all of these into my address book – and also onto our company mailing list. No change here right?”
The short sharp answer is all change, all change. And the slightly longer answer is: that wasn’t good practice in the first place and now it is downright problematic.
Why? GDPR or not, people generally give other people business cards with their name, address and phone number because they’re trying to establish a 1:1 relationship. The exception is of course the proverbial bucket where you might be entered into a draw for an Amazon or other type of voucher, but let’s leave this aside for the moment.
Now why might this have strategic implications? Because GDPR effectively ‘resets’ your inbox. Only people with explicit permission can now send you stuff, including newsletters.
Enforcement – but not from the regulator
A fair number of people quite rightly say that it is unlikely that a regulator will turn up and fine them, especially if they are trying to do the right thing (even if it is a % of global turnover that is in play). Nor do many believe that a regulator will turn up with a cease and desist, halting business altogether.
Sure. The number of organisations exceed the reach and scope of all the world’s regulators, even if the regulators put their mind to it.
However, what if I told you that the most likely direct impact won’t be from a regulator? That real normal, regular folk have the ability to significantly disrupt your business in the extreme short term?
How? Well, if your business has any scale, it most likely uses some sort of third party platform to manage mailings. It only takes a handful of people to report you for spam to, for example, Mailchimp. They’re more likely to do this now that they’ve spent a couple of weeks opting in, opting out…
What happens next? Mailchimp, who does not want to be party to non-compliance, will most likely suspend your company’s account. And you might not get it back. That might sound like a minor blip, yet it could turn out to be a reputational and commercial nightmare. Because all it takes is a handful of reports to set off the alarm lights.
To that end I invite you to review the three questions further up.
Meanwhile, If you need help with clarifying conversations like this at board level, then you know where to find me.
If on the other hand you already have clarity that something is amiss, then a closer look at your company’s values and ethics might be timely. And as any good strategic advisor, I have a suggestion for a book to read / who to call. In this case one of my own clients no less. Ruth Steinholtz of AretéWork happens to be an international expert in this arena an is topical with a new book on Ethical Business Practice. If you’re operating internationally you may also find the recent report on trade from the International Chamber of Commerce useful (excerpt to the right).
Good luck and all the best with the Golden DP Rule either way.