GDPR & Co: Compliance overkill or basis for value creation with data?

Share on facebook
Share on twitter
Share on linkedin

“That’s not allowed anyway” is a common reaction when working out how data can be used to create added value for companies. It is a common misconception that GDPR and other data compliance regulation only function in a restrictive manner. If that is the case, could they even be used as a value boost? This question is discussed by Dr. Knut Karnapp, lawyer and expert for data protection and IT law together with Thomas Balgheim, management coach and one of the initiators of DataValueThinking. Even though Dr. Karnapp is referring in his answers to German and European legislation, the key concepts are valid for many other countries and legislations as well.

Currently, more and more companies are discovering  their data assets and  their value, often called data monetization. When dealing with new technologies such as artificial intelligence (AI), the Internet of Things (IoT) or modern evaluation tools, more and more companies are discovering that data is the common raw material used by these technologies and tools. The quality of this raw material data determines whether and how new technologies can be used sensibly by companies in the context of digitization.  Which role data plays in value creation, how data is processed and worked on and how data can be used sensibly is increasingly becoming a strategic task for companies. Within the framework of the DataValueThinking (DVT) initiative, approaches, methods, and procedures for these strategic tasks are summarized, assigned, and offered.

Thomas Balgheim (TB): In our workshops we look at the different areas that deal with data. We also address the topic of compliance. We like to work with analogies to explore the huge scope of data. For GDPR & Co, we often use the image of a coast guard observing the data lake. Does this make sense for you?

Dr. Knut Karnapp (KK): In the grand scheme of things we are in the right metaphor, but the coast guard would be operated by the supervisory authorities. GDPR and so forth represent the legal framework, the “maritime law” so to speak. Of course, GDPR and the likes focus on the protection of the individual’s personal data – rightfully so. But when I, as a company, can point even part of my overall effort towards protecting this data treasure even without the coast guard getting after it constantly, I can turn this into a big win for me, my employees and most of all my clients and customers. The legislator has recognized the considerable value of data, on an individual and collective level. Whoever can make the best use of this value – in a constantly changing legal framework – has the opportunity to generate considerable competitive advantages.

TB: Another area in our workshops is called data ethics, i.e. our own values and rules for handling data in a company. Do you think there are relations between data ethics and data laws?

KK: I believe that it is indispensable in today’s world to have a corporate strategy which is communicated to the outside world in a way that is both understandable and describes how it (the company) deals with “raw data” and especially with customer data. I truly believe that nowadays doing so is an essential part of a corporate strategy. Keep in mind: most of the time companies don´t operate in a FOSS (Free Open Source Software) environment and clients and customers therefore need you to be open with them. Those who are affected by the usage of data are – rightly so – increasingly asking about the processing of their data. Regardless of the legal requirements, it should be important to every company to handle their own and especially their customers’ data carefully.

TB: Are these tasks important for certain areas or does it affect the whole company?

KK: Of course, in the end it affects the whole company, your whole business. Every employee uses and generates an almost immeasurable amount of data during their daily work. And this tends to become even more in the future. The trend was unstoppable even before Covid19. A violation of the protection of personal and other data very often stems from lack of care on the individual level. The better I am able to make “data awareness” part of my companies` DNA, the better the company can protect these values in the interest of customers and business partners which is at the end of the day in its own interest. The DataValueThinking approach – as I understand it – help to create to create exactly this type of environment.

TB: Our work shows very often that there is not only personal data, but also process and machine data which become more and more relevant. What does this actually mean from a legal point of view?

KK: First and foremost, this means that as a company I have to enable myself to actually know what types of data I actually have. Make no mistake: there are thousands upon thousands of companies out there, that aren´t even aware of all the data they have collected over the years. Furthermore, I need to understand the data and also what does and doesn’t happen with it during its whole life cycle. There are a few reasons for this, the main one being that in situations where no personal reference exists, i.e. when the individual is not identifiable, the compliance threshold is significantly lower. The company then has more legal options for data usage, for example, by using and making use of aggregated data. Nevertheless, the reverse conclusion should be avoided at all costs, i.e. that a missing personal reference would constitute a “free ticket” in handling company and customer data.

TB: Sometimes you get the impression that the legal framework and new technologies are like a race. As a company, I use innovations and then have to gradually adapt, formalize, etc to comply with upcoming regulations. This results in subsequent efforts and restrictions. How should I deal with this as a company?

KK: „Move fast and break things“ – This approach, which is nowadays associated with Uber & Co., for example, constantly exposes new challenges for the legislation to balance the promotion of innovation and the protection of individuals. There is no doubt in my mind that the plethora of legal requirements regarding data protection law that have found their way into the German legal code in recent years are difficult (or close to impossible) to fully comprehend, in particular for small and medium-sized companies. In addition, it is not uncommon for the various domestic German supervisory authorities to disagree on the interpretation of the legal basis. Not to mention our partners in the other EU member states. Nevertheless, as long as compliance is seen, not only as a restriction or barrier, rather as an opportunity and chance for your own company, for example by exploiting hidden potential of the already existing data, you can – I’m  fortunate enough to experience it by “living examples” – gain an unexpected competitive advantage. If companies combine this approach with the evolving data ethics and data culture, they should be well prepared for the legal requirements of the coming years.

TB: You have dealt with the creative approach and methodological framework DataValueThinking. What is your impression?

KK: DataValueThinking offers orientation for management and creates a basis for data ethics and data culture to make use of the competitive advantage I tried to describe here.

You can reach Dr. Karnapp, attorney at law, for example, via his LinkedIn profile.