Reading Time: 3 minutes

Executive awareness of the General Data Protection Regulation (GDPR) is typically based on two factors.

1. Board’s quest to create value from innovation. Thus, they need to define and unify data strategies across divisions.
2. The GDPR mandates audit committees to intersect the above objectives in Regulatory compliance, Corporate governance, Enterprise risk management

Impact of GDPR

We have already read about GDPR in our previous blog post. Board and audit committee interaction should result in a heterogeneous allocation of privacy risk tolerances and governance investment across the organization, empowering chief privacy officers (CPOs) to drive the much needed change.

What will likely follow affects five key areas within an organization.

Change 1: Using Customer Insights To Power Risk-Management

Through data portability, the GDPR redresses imbalances between monetization investment and individuals’ ability to benefit from, or keep private, data about their lives.


Advanced privacy-metrics models will drive value at risk, insurance decisions and articulate cause and effect. Such metrics models set the foundation to ensure privacy of the customer sentiment.

Robust evidence management of incidents will lead to data privacy and authenticity. Poor customer experiences, e.g., overly invasive identity verification or poor call-handling in response to negative reactions to a marketing campaign will empower the customers to explicitly question privacy practices.

Investment in a tool like VComply which ensures credibility of the evidences with its repository is essentially a smart control for increasingly risky data and digital intensive efforts, moving companies upward and rightward in the privacy grid.

Change 2: Data management in gdpr

Is the Data Lawfully Used has become more important with the advent of the GDPR


There are very few loyalty programs that request customers to discretely consent to personalized offers generated by their relevance engines, but such examples will become the norm.

Explicit consent is a mindful consent. Self-awareness over how and why insights about a private life are monetized has emerged often emotively into social consciousness. And so efforts to enhance transparency and the quality of consent will come to the fore, especially given stronger purpose-limitation restrictions and increasingly narrow uses of legitimate interests.


For CMOs who are agents of change, these developments present plentiful opportunities to deliver first mover advantage. More generally, passing data through a super-distributed chain and being held jointly accountable for its legitimate management is a problem only resolvable if all parties comply equally and collaborate for the benefit of the customer. And we are all someone’s customer.

Bottom Line: Build internal privacy litigation competences; identify top external litigation talent, and use scenario-planning to enable value.

Change 3: Core Compliance changes after gdpr

The GDPR will likely have 3x as many articles as the old privacy statute. Extreme level of details, when implemented will increase the accountability of every stakeholder.


Independent and liable Data protection officer (DPO) is the need of the hour. Simplified data export procedures will help the organizations. The best practices in vendor management, precisely targeted privacy service level agreements, will become modified by both statutory and risk-management enhancements.

Compliance resources will need to shift more quickly toward digital tools like VComply. There shall be centralization of  governance structure. Also, they will often re-engineer it to drive transparency and control over potentially crippling risks residing there.

Compliance solutions will be sought for the right to be forgotten/erasure, embedding up to real-time removal of what are fluidly considered personal identifiers across all instances in which they exist, inclusive of third-party assets. Data portability will empower customers to port their data, including the segmentation attributes containing inferences about behaviors, from one service provider to another without delay.

Change 4: Regulatory Intermediation as mentioned in gdpr

They are empowering Data protection authorities (DPAs), expanding budgets and enhancing investigatory powers. Regulators will build more systemic bridges into the scientific community to provide the research foundation upon which they can base opinions, the leading example being the Luxembourg Privacy Cluster.


Organizations that today consider themselves unregulated will become regulated by virtue of offering goods and services to EU residents. Thus, they gain real power of recourse.

There will be mandatory appointment of DPOs  as they are already in some EU countries.  Also, regulated industries such as financial services are in for less of a shock.

The Evolving Role of a CPO | GDPR

CPOs are the nexus between audit committee and board interest in data. Orchestration by CPOs across the 4 key areas will allow meeting of expectations of shareholders, regulators and society.

Previous                                                                                                                       Next

FavoriteLoadingAdd to favorites

Leave a Reply

Your email address will not be published. Required fields are marked *