TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | The Business Impacts of the General Data Protection Regulation: Part One Related reading: Notes from the IAPP Europe, 23 Feb. 2024




In the first of a three-part series on the people, process and technology impacts of Europe’s forthcoming General Data Protection Regulation, Steve Kenny looks at people and a rationale for evolving risk management philosophy.


The principle constraint on data monetization—privacy regulation—is being overhauled by European institutions, with changes likely to take effect within two to three years. If an organization is doing business in Europe, it’s very probably affected. Unprecedented penalties, fines and litigation are on the cards, along with a higher compliance bar and more constrained business practices.

This significantly harsher environment particularly affects business models dependent upon data. When the threat of losing access to data can cripple a business, a decision framework and organizational culture needs to emerge to manage the risks of not optimally exploiting data.

Tone from the Top

Leaders of data-intensive, customer-facing organizations are arriving at an impasse between higher shareholder data-monetization expectations and a material increase in potential privacy exposure from turnover-based fines and litigation from a European court system empowered by collective action.

This very real development will differentiate management teams in their ability to chart a course, avoiding both paralyzing effects on innovation and uneducated risk-taking predicated on clear to marginal noncompliance not being punishable in the long term.

Neither end of that fear-to-foolishness spectrum delivers sustainable shareholder value. But that’s not all. It’s people who drive the innovation agenda. Vanishing points between consumer wishes and ethically right choices go to the very purpose of what a data-intensive organization stands for. Privacy-violating companies don’t help themselves in today’s competition for and retention of key talent: Increasingly, such cultures will be perceived as disingenuous by those who count.

A general characteristic of leadership is an ability to consistently demonstrate behaviors balancing up and downside risk. In data privacy, that translates to zero tolerance of exposure and enabling optimal long-term monetization potential.

An Emergent Privacy Risk-Management Philosophy

Over the coming months and years, institutional investors are increasingly likely to look both more closely and unfavorably on either unconstrained or ineffectually constrained data strategies. Up and downside risks are different, but their symbiosis must be managed through capabilities and behaviors  in order to deliver the full potential of data in a radically changed operating environment.

If data risk is a two-headed dragon, harnessing it requires both aligned skills/attitudes and a decision framework from which business transformations evolve. At the heart of that framework, we see the philosophy of constraint-based thinking.

Simply, opportunities (size and quality of the underlying asset, the analytics ability to extract insight and the enduring franchise to monetize), once calibrated against constraints, deliver sustainable monetization while avoiding exposure. (See Figure 1.)

Figure 1: Long-Term Data Value Creation

 Screen Shot 2015-02-26 at 3.37.21 PM

With the consequence of constraints set to markedly increase, the intelligent application of how they drive risk management data strategies becomes key. Figure 2 depicts four organizational grid positions and an implied market pressure to take more controlled risk, denoted by the dotted arrow.

 Figure 2: Constraint-Based Thinking Grid

Screen Shot 2015-02-26 at 3.40.21 PM

Transformation programs drive perpetual upward and rightward movement on the grid. Transformations are also purposed in optimizing data potential for the benefit of a broad constituency, including but not limited to shareholder value measures. Tapping the intrinsic motivation of integrity found within the concept of privacy can protect against change fatigue and ultimately result in building the customer behaviors that drive customer advocacy.

Creating and Maintaining Capability

It’s evident that privacy, marketing, risk, technology, legal and compliance leaders who unlock opportunities by optimizing this new doctrine of risk management demonstrate great skill. Leaders frequently demonstrate an intuitive understanding of  the customer: People are aware that they share data related to their emotions, behaviors and beliefs in many aspects of their lives. Insights here are culture-, context- and demographic-specific but ultimately underpin judgment on external monetization and internal insight strategy and what data is best kept entirely private.

Enhanced governance and exploitation capability also tends to enhance the corporate contribution to society. Privacy being rooted in notions of freedom is a powerful construct to galvanize teams, achieve organizational cohesion and provide a sense of purpose and individual renewal. The advancement of consumer sentiment is also a trend stimulating privacy-preserving strategies to upgrade existing services and innovate disruptive new ones as in the example of vendor Ghostery. With regulatory change combining with evolving consumer sentiment, we can expect entirely new forms of competitive advantage to be found in combinations of data exploitation and data governance.

The privacy-centric enterprise taps intuitive motivations to support hiring and retention objectives. Junior to mid-level staff rotations between compliance, marketing, IT, legal, audit and risk can be effective in distributing capabilities and a philosophy. And professional training such as that provided by the IAPP has sustaining value.

Risks and opportunities congregate into specific areas, but entire organizational constructs seem compelled to adapt, embrace and embed the new doctrine of privacy risk. From that vantage point, generic computer-based training packages can look shockingly inappropriate. Modules should be meaningful to effect desired learning outcomes, and content at the minimum should be driven from the different types of risk different audiences encounter.

Simulation training is a more appropriate learning vehicle for senior audiences. Here, cross-functional teams solve problems in real time, often where each success leads to clues to achieving the next goal. Facilitation encourages learning outcomes that blow away restrictions on purpose-based collaboration. And by integrating the effects of privacy risk management into innovation agendas, one aims to unlock what will drive the next wave of sustainable data-based growth.


Where is your organization in the decision framework grid, and where are your peers? How clearly and convincingly is data strategy articulated internally and externally? Is the organization'’ hiring, retention and training strategy fit for purpose?

Part two of this series will look at the "process" impacts of the General Data Protection Regulation.



The two-headed data risk dragon

Data risk has an upside and a downside. Both are realized by capabilities:

Upside: A capability is to exploit asset vale. Some unregulated West Coast technology companies have built impressive market value in record time based almost exclusively on data, technology and persistent franchises. They have realized upside risk, e.g., eBay.

Downside: A capability is to discharge effective data governance. Some regulated global financial service organizations, incurring severe regulatory oversight, have suffered sustained capital flight from institutional investors. They have realized downside risk, e.g., UBS A.G.


If you want to comment on this post, you need to login.