Adopting a competitive approach to GDPR compliance


The new General Data Protection Regulation (GDPR) marks a milestone in data protection laws in the EU that will become applicable and enforceable on 25th May 2018.[1] Much noise has been generated about the substantial change it will bring in data protection regulation – it enhances data security rules, introduces new and strengthens existing data subject rights, as well as threatens significant fines for non-compliant companies. Much noise has also centered on the impact the GDPR will have on businesses – additional costs, resources and efforts. But among fear of severe fines and pressure for compliance given the fast approaching deadline, the significant benefits of GDPR seem to be ignored. It can be argued that GDPR conformity measures should not be viewed simply as a cost burden but also as an opportunity for businesses to boost their competitiveness. This could be achieved in several aspects – by promoting growth, building reputation, fostering data trust culture among partners and customers, and improving workplace ethos.

Getting ahead of competitors

The GDPR rules require all companies to use only suppliers who can show that they have adopted appropriate data protection measures. Otherwise, those companies risk high penalties themselves. This means that when a company contracts with supplier to process personal data on their behalf, they should properly vet it in order to ensure protection of the data shared. A case in point would be a clothing retailer engaging a marketing company to send promotional vouchers to the retailer’s customers on the retailer’s behalf. The retailer is ultimately responsible for ensuring that the personal data (e-mails, names, mobile numbers etc. of customers) are processed in accordance with the GDPR. Clearly, to avoid fines, companies will prefer suppliers who can demonstrate that they have implemented the required data protection measures. In practical terms, compliant companies can gain a competitive edge to those lagging behind in strengthening relations with existing partners and attracting new ones. And as all businesses will have to reevaluate whether their partners have implemented requisite GDPR measures, a shift in market relations is expected to occur – compliant companies will choose to select new partners, who are GDPR compliant. As a consequence, companies in line with GDPR rules will be able to seize new market opportunities and expand partner network.

Increasing productivity

Stepping up to GDPR compliance requires all companies to review their processes in order to understand whether they collect, store and use personal data in accordance with GDPR. In addition, the Regulation gives certain rights to individuals and imposes obligations on companies to facilitate the exercise of those rights. For example, data subjects have a right of access to a copy of the information comprised in their personal data, while the company has the obligation to provide it within 30 days of the request. For businesses this translates into an obligation to be able to quickly isolate data and organize it in the GDPR prescribed format – concise, transparent and intelligible to the individual. Thus, achieving GDPR compliance will consolidate unstructured data and streamline data handling processes. A direct benefit is that companies will increase efficiency, as they will reduce time to search and discover data and will have better access to the information they process. This can then be used internally for optimizing the work efforts.

Building trust

GDPR recognises that trust is vital for the development of the digital economy across the internal market. Technological advancement is making it ever easier to gather and control customer data, while at the same time poses increased data security risks. The GDPR, then, comes right on time, as it requires businesses to process data in a way that safeguards the rights of the individual. When businesses process data they have to act in a lawful, fair and transparent manner – clearly communicate to data subjects the ground for collecting data, the purpose it is collected for, how long it will be stored, the rights of the data subject and how they can be exercised. If customers are kept in the dark about their data, businesses stand to lose customer trust. Thus, the potential to promote confidence comes from the fact that companies will openly engage with customers and demonstrate the necessary level of care for the personal data shared. It is also an opportunity, for instance, to demonstrate to customers that capturing data allows them to offer targeted communications in line with individual interests and preferences.

Another aspect of adopting rigorous data protection rules is that the company will be perceived as a safe and secure partner to conduct business with. This especially holds true when the frequency of cyber security breaches is considered and the damage it can cause to businesses. Investing in GDPR compliance will build a reputation of the company as a secure and trustworthy partner. As a commodity fostering trust with rigorous data security processes will give companies a competitive advantage in the long run.

Improving work environments

The use of information technology in the workplace has allowed employers to systematically process employee personal data. With the aim to improve productivity, however, such processing could potentially be invasive without due regard to employee’s rights.[2] The GDPR rules could be used as a platform for employers to demonstrate that despite the financial dependency in their relationship, they do observe employee rights as data subjects. The obligation of employers to be transparent with employees is enhanced. This means that employers have to clearly communicate to employees about the data they capture, for what purpose they use it and whether any monitoring takes place in the workplace.  Openly engaging with employees about their rights has the potential to build a culture of inclusiveness and confidence. It might be a bit of a stretch, but having transparent policies at work, could also bring about better employee performance and efficiency.

To conclude, the Bulgarian data protection regulator – the Commission for Protection of Personal Data estimates that 80 % of companies are not prepared for GDPR compliance.[3] The idea of investing simply in compliance is daunting. However, as argued, the GDPR is not just compliance exercise. To translate statistics into more positive terms, it means that 80 % of companies have the opportunity to become more competitive, increase growth and foster long-term trust relationships with customers and partners.

[1] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

[2] Opinion 2/2017 on personal data processing at work of  the Article 29 Data Protection Working Party (“A29WP”)

[3] Newsletter of the Commission for Protection of Personal Data, issue 1 (70), January 2018