GDPR challenges how companies balance risk and cost. Full compliance with all aspects of GDPR, including the ePrivacy Directive, is a high and expensive bar to clear. Non- or partial compliance could create extraordinary costs and damage to the brand. Companies are weighing what it means to fully or partially comply. We predict that 80% of firms affected by GDPR will not comply with the regulation by May 2018. Of those noncompliant firms, 50% will intentionally not comply — meaning they have weighed the cost and risk and are taking a path that presents the best position for their firms. The other 50% are trying to comply but will fail. This will be a fluid environment; any successful case against a well-known giant will change the risk/cost balance. The sleeper issue of 2018 will not be compliance but how consumer advocate groups use GDPR to prosecute their agendas by using the regulation’s “right to be forgotten” clause — exhausting companies’ resources and damaging their brands.
Rather than just looking at risk and cost, we should be looking ahead where the regulation will take us to the next decade(s). I believe all of us will be a consumer some point in time. These requirements will assist us to define rules that will help building trust between organisations and their consumers. Risks and costs will only affect those who aim to adopt practices below expectations or ignore the rule book. For those practice above and beyond, not only consumers will flock in masses to them due to these newfound trust, their balance sheet and reputation will also be the role model for industries and markets.