In 2011 a French start-up developed technology designed to collect geolocation data on smartphones and transfer the data onto a mobile marketing platform to support retailers’ “drive to store” strategy and help them assess the impact of marketing investments for in-shop visits. The technology tracked the number of in-store visitors and customers’ movements after having seen a retailer’s ad. The problem? The data collected via customer’s phones was regulated personal data under GDPR.
In 2017, the CEO walked into his office and was met by four agents carrying out a data protection audit without prior notice.
A year or so later, the regulatory body issued a formal notice to comply for lack of legal basis: Indeed the company had collected data without prior consent. The regulator published a notice on a public website to raise awareness and it wasn’t long before the company’s reputation was damaged and it was forced to close its doors. The moral of the story? While not all cyber or privacy breaches lead to sanctions, they have the potential to impact a business model, revenue, and ultimately the viability of a company.
Throughout the pandemic, many companies have focused solely on preserving cash. But how directly involved should a CEO be in data-privacy? The answer is ‘very.’ Those who thought global privacy issues would die down after GDPR could not have been more wrong.
The concerns of CEOs over cyber-security and data privacy have accelerated due to the new ‘digital normal’ created by the pandemic that has led to increased digital transformation along with increased cyber threats and breaches – amidst a global regulatory backdrop that is continuing to profoundly shake things up through heightened rules, heightened privacy expectations and heightened cybersecurity risks.
In daily news feeds, we learn about cyber breaches, data protection violations, and companies under investigation; on our TV screens, we witness CEOs of big tech companies subject to interrogations by political bodies and data protection authorities about their security standards and practices and alleged anti-competitive behaviors. While not every CEO will be subject to this, it is a fact that cyber-security and data privacy have officially made it to the top of the list of CEO concerns. For example, as part of the European Commission’s digital strategy, a set of new rules governing online services such as travel platforms openly seek to protect fundamental rights by attacking certain financial incentives and business models.
Companies can use this time to consider the benefits of compliance for growth strategies and tactical implementation. How?
- Closely collaborate with privacy professionals and Legal teams to make the right strategic decisions, anticipate regulatory trends, and cultivate a forward-thinking attitude, particularly in relation to innovative privacy safeguards that are fit for the upcoming “fourth industrial revolution”
- Adopt a user-centric approach to privacy that focuses on enhancing user-experience, fostering education, and building user trust through transformative ways of interacting.
- Shift the approach from pure “compliance hygiene” to cross-functional business concern to differentiate and maintain relevance.
- Simplify complex concepts like “Artificial Intelligence explainability” for improved transparency and inclusive reach
There is an opportunity – and a necessity - to achieve both the protection of fundamental rights like the right to privacy and business gains; both topics are top C-suite concerns for long term sustainability as we travel ever further on the digital path.
Blog author: Christel Cao-Delebarre, Global Head of Privacy and Group DPO, CWT