Privacy compliance is usually seen as a problem for a business, but it might become the key for the success against its competitors.
My law firm and the Italian association of general counsels, AIGI, ran an event of the General Data Protection Regulation (GDPR) and an interesting topic of debate arose form the panel discussion among various general counsels.
I discussed in several instances about the impact of the GDPR on the business of companies. Such impact is often associated to the increase of sanctions up to 4% of the global turnover of the breaching entity which should lead to a higher level of awareness on privacy compliance obligations. However, apparently the management of companies is not fostered to comply with the rules of the GDPR by the potential sanctions which have already been increased in so many different fields, but as it expects a competitive advantage out of it.
Here is my review of the topic first in my Diritto al Digitale video series in Italian and then more extensively in the body of this article in English
The GDPR from an issue into an advantage
In a world where data is exponentially acquiring value, companies start to understand
- The importance of data for their business and therefore the possible damage that could suffer should they be obliged to delete it or reduce its usage because of the breach of privacy laws;
- The risks of sanctions should the supplier be unable to ensure privacy compliance and the costs of monitoring unreliable suppliers. It is true that the GDPR provides for direct sanctions against data processors that process data in behalf of third parties. However, a company instructing a supplier is obliged to monitor the proper processing of personal data by the same supplier. Therefore, it has to either take some risks when the supplier is clearly unable to ensure compliance with data protection laws or bear considerable costs when it does not have a guarantee of compliance of the data processing with applicable laws and needs to run some audits and monitoring activities; and
- The impact on its business of the performance of a privacy impact assessment before implementing a supplied product/technology/service with the consequential delays.
All these factors lead a company to prefer a supplier which is able to provide an attestation/certification of compliance with the EU privacy regulation. Indeed, such supplier triggers considerably reduced risks and costs. Likewise, if a supplier either has already performed a privacy impact assessment of its product/service/technology and got it validated by the competent data protection authority or has obtained a certification of compliance of the same, this enables the immediate put in operation of the same with a major advantage for the client.
But even consumers will end up preferring companies that can ensure compliance with data protection laws. This is because, in an economy exponentially based on the supply of services and on the sharing of the usage of goods, individuals’ privacy will remain one of the very few assets belonging to an individual that will therefore be led to prefer those sellers that can prove their capability to protect their data.
How to exploit privacy compliance?
The attestation/certification of compliance of a company and/or of its products with the GDPR will become one of the criteria of selection of a potential supplier. And such criteria can become even more valuable in this phase of first adoption of the EU Privacy Regulation as it is expected that in the long term most of the companies in the market will get compliant.
Data protection authorities still need to issue their guidelines on the GDPR compliance certification process. But in the meantime what we are providing to our clients at the end of the privacy audit is an attestation of proper performance of the required activities which is valuable itself if provided by a very reputable law firm.
What is your view on the matter above? I am curious to know your position.
Below is our presentation showed during the event
Also you may find also interesting on the General Data Protection Regulation the following articles
If you found this article interesting, please share it on your favourite social media!