Firms quick to adopt EU data regs will have first-mover advantage

Firms quick to adopt EU data regs will have first-mover advantage
© Getty Images

As the General Data Protection Regulation (GDPR) takes effect Friday in the European Union, with much more stringent rules on data privacy, companies such as Google are scrambling to prove they are compliant.

Google reportedly is working with publishers to ensure compliance with EU regulations that give people more control over how their data is used, such as for targeted advertising.


With the deadline for compliance looming, companies may be missing an opportunity to use the new EU data regulations as a competitive advantage. Firms that apply the EU standards in other markets, like North America, could position themselves with a first-mover advantage in adopting global best practices for data privacy standards.


For business owners and managers, GDPR highlights the importance of adding data protection to their operations, such as to anonymize routinely collected data, while also assessing the impact of data protection on their business models.

At the same time, GDPR opens the door for “privacy by design” and “privacy management” as points of differentiation for companies. For example, smaller firms that are more agile than larger competitors could gain an edge by designing new products and services that boast enhanced privacy protection.

These potential opportunities could turn the GDPR regulatory burden into a boon. More than bragging rights, becoming GDPR-compliant on a global basis will carry a cost.

For one, companies would need to invest in data privacy controls not only in the EU but in other markets, such as the U.S. This is not an inconsequential cost, particularly if upholding GDPR standards voluntarily in markets like the U.S. hurts the revenue stream.

Collecting and analyzing data is a major component of many companies’ business models. Facebook, for example, collects data about users in order to target adverting to them; its ability to engage in data mining is a backbone of its revenue stream.

Even as Facebook highlighted its steps to become GDPR compliant, the media found fault in its approach, particularly whether consumers were rushed to agree with the standards.

Such compliance concerns and the potential impact on business models paint a pessimistic scenario in which companies will likely do the minimum to comply with GDPR. From this perspective, companies would be deterred from taking a best-practices approach in data protection globally; as a result, they would operate one way in the EU and another way in the rest of the world.

Nonetheless, there is still a likelihood that GDPR becomes embraced as the best-practice standard, particularly for social media platforms where data privacy has become a major focus.

While all platforms have privacy policies, those largely self-administered standards have come under scrutiny after Cambridge Analytica, a firm connected with the Trump presidential election, allegedly accessed Facebook data without authorization.

Facebook founder Mark ZuckerbergMark Elliot ZuckerbergHillicon Valley: Biden names acting chairs to lead FCC, FTC | Facebook to extend Trump ban pending review | Judge denies request for Amazon to immediately restore Parler Facebook to extend Trump ban pending review Facebook has no current plan to end the Trump suspension MORE testified before Congress about the need to strengthen his company’s privacy policies.

If social media companies are serious about implementing stronger privacy standards, then GDPR provides a foundation for building more stringent operating practices, both in the EU and globally.

Since critics have been very vocal about alleged misuse of user data, social media platforms that voluntarily abide by the GDPR’s stricter third-party standards globally could find themselves in a much more favorable spotlight.

As companies that do business in the EU strive to become compliant, there are still questions, like how to handle legacy or backup data, for example. Data that were routinely collected and backed up in the past may contain sensitive personal information such as email addresses, which should be scrubbed to ensure compliance.

The silver lining for companies is that GDPR compliance will bring them to a higher level of data management and security. Data gathered by compliant means, such as from users who have opted-in, will be more valuable. And, better (and compliant) data as input translates into output that likely will carry an enhanced value.

GDPR, like any new regulation, will raise questions about the cost and benefit of compliance. But those companies that look beyond the initial burden to the opportunity may very well find that the cost of being compliant is more than offset by a global opportunity to showcase adherence to best practice standards everywhere they do business.

Ronen Gradwohl is an assistant professor of managerial economics and decision sciences at Northwestern University's Kellogg School of Management.