After GDPR, here come the Unintended Consequences
There are the Obvious Results of the landmark legislation -- and then there are the hidden waves that ripple out later.
It’s not the wave you’re expecting that knocks you down when you’re body surfing in the ocean. It’s the waves you didn’t expect, behind that first wave.
It’s the same with Unintended Consequences. And, given its complexity and scope, it’s likely that the General Data Protection Regulation (GDPR) — whose implementation begins tomorrow — will have plenty of those.
To sketch out the range of possibilities that haven’t been in the top predictions, we collected thoughts from a wide range of practitioners:
- After years of trending toward faceless activities, SAP Ariba CMO Tifenn Dano Kwan told me, GDPR may ironically provide “an opportunity to put a face back on marketing and make it human and personal again.” While GDPR may limit “the personal data we can collect using formal digital channels,” it may also open up new forms of personal connections. This could mean, for instance, marketers attending more sales meetings, hosting more networking events or conducting more in-person seminars, so they can “really see and hear their customers.”
- The burden of the newly required internal processes could be so considerable, RSA CMO Holly Rollo told me via email, that there may be a lag or even a halt in outbound marketing activities as organizations “scramble to understand, discuss and agree on what customers/prospect data is ‘safe’ to use.”
- Younger teens may end up vouching for themselves, says Mark Weinstein, CEO of social network MeWe. He notes that GDPR says personal data can only be processed if the user is 16 years old and above. For 13 to 15, the statue requires parental consent, but, he adds, Facebook allows anyone to “be a guardian or parent for a child.” This is because the child in question simply enters an email address, and “Facebook simply trusts that the person or email selected is in fact their parent or guardian.”
- David Ross, a principal at consulting firm Baker Tilly, told me that there could be a boom in identity fraud, as brands try to verify users who make GDPR-related requests about their personal data, like asking that it be deleted. There are no clear standards for how you authenticate a user, and Ross pointed out that it’s difficult to authenticate when GDPR is pushing you to “minimize your data set.” In other words, how can you employ IP or email addresses to authenticate when you need consent to use them? Neil Hughes, VP of identity research firm OWI Labs, pointed out that this “right to be forgotten” relates to what info the organization might otherwise keep after you delete your account. But GDPR doesn’t require that you delete your own account first to remove personal data, only that you make a request.
- Ross also pointed to several other possible unintended consequences. For instance, he said, GDPR now provides a completely new way that “a small group of people can cause [new kinds of] harm” to an organization. A thousand activists, each making a variety of data subject requests, could dramatically slow down an organization’s operation.
- And, he added, it’s likely that another consequence will be “jurisdiction shopping.” Companies will discover and share info on how GDPR enforcement, conducted and interpreted by each EU country, will vary. Ross compared this to how Delaware is the go-to state for US incorporation, as companies may choose specific EU countries for their headquarters or their primary market presence, based on enforcement levels and interpretations.
- Similarly, Fouad Khalil, head of compliance at risk management platform SecurityScorecard, notes that companies may scramble to acquire insurance against GDPR oversights. But, he pointed out, “GDPR fines are only insurable in Finland and Norway” at the moment. So, we might add, there might be a rush on headquarters-quality real estate in Helsinki and Oslo — at least until other insurance companies move on the GDPR opportunity.
- Jean-Michel Franco, director of data governance products at software integration vendor Talend, sees a major change in how customer service and legal departments operate. “In many companies,” he told me, “consent is [currently in] the legal department,” but the legal department won’t be able to handle all those GDPR-related user requests and complaints, and the customer service department doesn’t yet have the legal chops to do so. Something new might have to emerge, like a team that overlaps with both departments.
- And, he said, GDPR has a little-noticed “right of explanation,” as consumers can demand to know why their bank loan or other application was denied. The challenge, he said, is that these kinds of decisions are often now made by algorithms, so banks and others — perhaps even colleges — will need to figure out why their systems told them to make such-and-such decision.
- Franco also predicted that sites like Glassdoor, which rank companies based on anonymous inside info, may be violating GDPR because the inside info may contain personal data. He pointed to a 2008 event in France, when a teacher-rating website called Note2be was accused of misusing the teachers’ personal info.
- Edward Balassanian, CEO and founder of the Strings social media platform, said he expects that there will be a boom in product placement inside all kinds of stories, as brands move away from targeted ads.
- Caleb Barlow, VP of threat intelligence at IBM Security, told ComputerWeekly.com that he expects GDPR will encourage domain registrars to avoid submitting registration contact info to the international Registration Directory Service, which used to be called Whois. That info contained the name, address and contact data for domain registrants, often used by security firms to link various malicious domains to the same source. But the publication of that contact info reveals personal data. In its absence, IBM says, it might take more than 30 days of additional time to connect malicious domains to the same actor, which could hamper security efforts.
- And privacy lawyer Gary Kibel points out that lead generation and other customer acquisition efforts may undergo some kind of transformation. The main reason: You need consent before making the first contact, but how do you get that consent? There might be some grounds to do so under the vague concept of “legitimate interest,” especially if there was some previous interaction, but it’s not yet clear.
GDPR is “a watershed moment,” Ross told me. But we may discover that the waves and ripples after that moment are generating the biggest impacts.