Dolores Perez says that companies need to balance the requirement to do well with doing good (Photo: KBL European Private Bankers)

Dolores Perez says that companies need to balance the requirement to do well with doing good (Photo: KBL European Private Bankers)

In just over a month, the way every company in Europe collects, processes and protects personal data will change profoundly. The EU’s General Data Protection Regulation--which comes into force on May 25--gives individuals far more control over their personal data and obliges companies to handle such data far more carefully. The GDPR allows individuals to access and correct personal data held by companies; it also gives them the right to transfer such data to another company.

If the purpose of processing such data is called into question, they can raise objections and request that access to such data is restricted or even permanently erased. Individuals may also object to any automated decision-making process that could affect them.

Under the new law, companies must process personal data in a way that is fair, lawful and transparent. They must provide a clear explanation of how such data will be used, ensuring that is limited to what is necessary for processing purposes. If that data will be used for any other purpose, the individual needs to be informed and provide their explicit consent.

A company that is found to be in breach of the GDPR can be fined up to a maximum of 4% of annual global revenues or €20 million, whichever is greater. The reputational cost of such a breach, measured in lost client confidence, could be even higher.

Consider the ongoing crisis at Facebook. Following revelations that the personal data of some 87 million Facebook users may have been misused, the company’s share price tumbled by 15%, wiping a staggering $100 billion off its market capitalization.

Ensuring trust

Today, amidst increasingly widespread concerns about personal data security, public sentiment has never been more strongly in favour of putting individuals in charge of their own information. The burden on companies is not just to comply with the GDPR, however. They must also demonstrate, more broadly, that they behave responsibly.

According to the results of the 2018 Edelman Trust Barometer, a global opinion survey, 69% of respondents say that a CEO’s main job should be to ensure that their company is trusted. That’s considerably higher than the percentage of respondents who say that a CEO’s primary responsibility should be to increase profits. Nearly two-thirds of survey respondents say they want CEOs to take the lead on policy change, instead of waiting for government, while an equal percentage believe a company can take actions that both increase profits and improve economic and social conditions in the communities where it operates.

While regulations like the GDPR represent a major step in the right direction, corporate responsibility can’t be covered by any single piece of legislation, no matter how sweeping. Business must of course continue to seek to maximize profitability--but not at any cost. Instead, companies need to balance the requirement to do well with another imperative: doing good.

Editor’s note: GDPR will be the subject at the next Delano Live event on Tuesday 17 April. Find more details and a chance to win tickets here.

Dolores Perez serves as Group Data Protection Officer at KBL European Private Bankers. The statements and views expressed in this document are those of the author as of the date of this article and are subject to change.