GDPR Laggards Can Still Get Ahead Of The Game

The time for “wait and see” is running out when it comes to new European privacy regulations. Soon enough, the financial and consumer impacts of the General Data Protection Regulation (GDPR) will become clear enough that companies that took a laggard’s approach may start to feel significant pain.

That was among the main messages offered during an interview this week with Robert Pace, vice president of information security and compliance at First American Payment Systems, about one of the hottest topics in the digital world: How will the GDPR – which took effect less than a month ago – reshape payments, eCommerce, social media and financial services?

Granted, “wait and see” was probably not the most highly recommended strategies going into the GDPR world, given how the European Union (EU) regulation essentially applies to every company making money in digital, not just those firms based in the EU’s 28 member nations. However, every group has its slowpokes and cautious movers.

Now, Pace said, “those companies are recognizing that the ‘wait and see’ approach is not the best solution. They will feel some pain from consumers, and [find themselves] in some eye-opening positions.”

In fact, early evidence suggests that changes in cyber threats and online ad buying are already taking place in the weeks since the GDPR became official. Many more significant changes are sure to follow — some of them likely unintended or even ironic. In fact, within a couple more quarters, clear financial impacts of complying with the GDPR could start showing up in company earnings reports, Pace said. Along with that will come evidence of innovation tied to the changes brought about by the privacy regime — for instance, revisions to marketing budgets or new programs.

“Over time, regulators and companies may be taking a step back to look holistically at the compliance landscape,” Pace said. And make no mistake, he added: Regulators in other regions and countries are watching closely to see how all this plays out, and what it means for their own data protection efforts.

So far, much of the early attention to the GDPR has focused on negative aspects, such as the administrative burdens of complying with the rules — is there anyone left who hasn’t noticed the new “cookie” and other such notices on websites and email inboxes? — and how large, robustly financed companies like Google and Facebook are benefiting the most from this new regulatory landscape.

However, Pace offered a more positive view during the discussion, which served as an accompaniment to a new GDPR eBook from PYMNTS, in which he and other experts gave observations and analysis about the regulation. So far, one of the positive results of the GDPR push is “dialogue.”

He said, “Dialogues are happening among legal [departments], CIOs and COOs — conversations are happening there. We always wanted security to have a seat at the table.”

Those conversations, and the innovations they inspire, will only continue — especially as consumers become more aware of the effects of the GDPR, and their feedback reaches marketing and customer service departments, then the C-suite.

“I cannot stress this enough: The amount of minds you have around the table, that will spark the new items that will come from the technology and process,” Pace said.

For the time being, of course, there remain companies that resist the proactive response to GDPR, which have decided to “postpone efforts” to comply with this new regulatory environment, he said. But that doesn’t mean they will fall impossibly behind. If a company is nimble enough to respond to the case studies, experiences and other signals that come out of the GDPR (for instance, by making quick and smart revisions to company budgets to focus on areas ripe for profit or marketing gains), then such organizations need not submit to defeat at the hands of the early adopters. The key is movement and having an open mind.

“This won’t be a static thing,” Pace said.