In a New Yorker-style cartoon, a bunch of suits are standing around when one of them says, “We use a modified ‘carrot and stick’ approach here—we’ve done away with the carrot.”
If you’re running a data-intensive business today, you’re forgiven for wincing. To you, data privacy laws like Europe’s General Data Protection Regulation (GDPR) probably do feel like all stick and no carrot. And when you think beyond the immediate compliance challenges and risks, you wonder where this all-stick approach is going to lead—and will it even work?
Big Means Big
Data privacy rules are proliferating at the state, national, and international levels, but GDPR is a primary preoccupation in boardrooms and c-suites worldwide—though soon it may need to make room for California’s strict new privacy act. One reason for the focus on GDPR is that any company, no matter where in the world, could face a fine up to 4% of its annual global revenue if it processes personal information on individuals located in the European Union and fails to comply.
That’s a big stick, potentially worth hundreds of millions of dollars—even over a billion—for large global companies. And there’s more: Any adverse finding could also inflict profit-leaching, stock-tanking reputational damage. Fixing non-compliant operations and systems may heap on significant business disruption and cost. And GDPR-related civil suits are a distinct possibility.
Is This Stick Working?
Though companies had two years to prepare for GDPR, the consensus as its May 2018 deadline approached was that companies weren’t nearly ready. In June, a European consumer group claimed that some of the world’s biggest online service providers were not meeting the new data privacy standard. Some seem to be “rolling the dice” with halfway measures in view of the high cost and complexity of the requirements.
It’s too early to wonder whether or not GDPR’s big stick is working, though. A better question might be, “Has the big stick approach ever worked, in any regulatory context?”
Big Stick Lessons from Finance and Telecom
Take, for example, financial services regulation. From the beginning of the 2007 global financial crisis through the end of 2016, banks around the world paid roughly $321 billion in fines, according to the Boston Consulting Group. (Fines have dropped since the 2017 start of the deregulatory Trump administration.)
The jury is certainly out, though, on the fines’ impact. A Swiss news organization quoted the country’s top financial regulator, who noted, “Some of our counterparts have handed down extremely high fines and yet violations have continued.”
An analysis by The Economist magazine explained what might be at play: If executives weigh all options, even the noncompliant ones, the risk of breaking the rules may appear smaller than the reward. “Most businesspeople are not this calculated, of course,” The Economist wrote, but the rules are written with bad actors in mind.
The history of America’s telecommunications industry provides another example, according to the Harvard Business Review. From the early 1980s breakup of AT&T’s near-complete telecom monopoly, through 20 years of reintegration and on to today, “what started as a regulatory punishment for AT&T led to an even bigger network of companies,” HBR said.
It’s debatable whether lessons from banking and other industries can apply directly to data privacy—after all, data is not cold, hard cash. On the other hand, data is increasingly prized for its value, to the point that some today view it as akin to a currency. Consider the often-cited saying of famed American management consultant W. Edwards Deming: “In God we trust. All others must bring data.”
Looking at GDPR another way, some see European regulators tearing a page from Teddy Roosevelt’s playbook: “Speak softly and carry a big stick.” In other words, regulators know GDPR is very challenging for companies to implement. So they will give some leeway in these early days and provide additional guidance over time, to ultimately bring better data privacy practices to the world. That is, after all, the goal (not global punishment).
Some participants at a recent U.S. data privacy conference suggested that companies are on relatively safe ground right now if they have at least developed a compliance policy, plans, and training, and made a solid start toward implementing them. Making this assumption could be risky for any company, though—and for some more than others. Cyber risk specialists at Stroz Friedberg predict that EU regulators will fine a large U.S. company in 2018 to make an example that demonstrates the global reach of their rule. Meanwhile, some regulators in the EU have already kicked off enforcement.
This kind of “speak softly and carry a big stick” approach is a common regulatory tactic, though it goes by other names. Academics use arcane terms like “deterrence-based versus compliance-based,” “maximal detection and sanctioning versus cooperative strategy,” and “punishment versus dialogue.” One academic paper suggests that it takes the right balance of carrot and stick to create an effective regulatory environment.
And then there is the school of thought that the rapid pace of technological innovation requires an altogether different approach to regulation (if any). Creating outcome-based regulations and testing new models in sandboxes are among the suggestions in a new report from Deloitte. “The assumption that regulations can be crafted slowly and deliberately, and then remain in place, unchanged, for long periods of time, has been upended in today’s environment,” Deloitte said.
Digging for Carrots
There could well be carrots for those that comply with GDPR. Companies could derive operational and marketing benefits as they are forced to take a harder look at what personal information they collect, where they keep it, and how they use it. Other upsides could include better cooperation across business silos (each with its own data and processes), accelerated use of data innovations such as artificial intelligence, and, ultimately, better understanding of customers and stronger relationships with them.
“Some of the biggest carrots could come in the form of increased business opportunities—or at least faster traction for companies that are able to comply with GDPR requirements,” says Paola Zeni, Senior Director and Senior Privacy Counsel at Palo Alto Networks. For example, GDPR has introduced very prescriptive requirements for contracts between companies and the service providers that process personal data on their behalf, Zeni explains. Most multinationals have already upgraded their contract templates. Service providers that are ready to commit to such terms will go through a faster contract cycle, while those that cannot may have to leave deals on the table.
In more ways than one, GDPR compliance is beginning to look like a textbook case of lemons and lemonade; if you’ve got to do it, you might as well make the best of it.