It is less than 36 hours until GDPR becomes the law of the land in the EU Zone. As the regulation has extra-territorial privacy requirements, non EU companies, even those without a physical presence in the EU, are subject to its requirements with respect to communications with EU citizens and management of their data.
The US has a much weaker set of laws and there is concern that US firms are laggards with respect to compliance. However, a number of US technology firms have called for adoption of a US GDPR.
On Monday, Microsoft once again reiterated its belief that “privacy is a fundamental human right” and announced that GDPR will be their privacy standard globally.
“As people live more of their lives online and depend more on technology to operate their businesses, engage with friends and family, pursue opportunities, and manage their health and finances, the protection of this right is becoming more important than ever.”
- Julie Brill, Microsoft Corporate VP & Deputy General Counsel
Companies, therefore, have a “huge responsibility” to protect and safeguard personal data.
Since GDPR was enacted in 2016, Microsoft has dedicated 1,600 engineers towards compliance. “GDPR compliance is deeply ingrained in the culture at Microsoft and embedded in the processes and practices that are at the heart of how we build and deliver products and services,” said Brill.
She noted, however, that GDPR is a “complex regulatory framework” subject to “ongoing interpretation” by regulators and feedback from customers. As such, the firm will “determine the steps that we all will need to take to maintain compliance.”
As a provider of corporate infrastructure, Microsoft views GDPR as an opportunity to differentiate itself and assist its customers with compliance on the Microsoft Cloud. “One of our most important goals is to help businesses become trusted stewards of their customers’ data,” said Brill. “This is why we offer a robust set of tools and services for GDPR compliance that are backed up by contractual commitments. For most companies, it will simply be more efficient and less expensive to host their data in the Microsoft Cloud where we can help them protect their customers’ data and maintain GDPR compliance.”
Additional details about Microsoft GDPR compliance can be found in their Trust Center.
Salesforce and SugarCRM have also taken a strong position on GDPR calling for similar legislation in the US. “What we need is a national privacy law, and that will really not just protect the tech industry; it’s going to protect all the consumers,” said Salesforce CEO Marc Benioff.
This is not a new position for Salesforce. Back in 2014, Benioff said, “I’m all in favor of consumers having more power and more control over their data. As a consumer, you should have all of the rights. It’s like a cloud Bill of Rights. As a consumer or as an enterprise, you should have the right to be forgotten or to add or take away your data.”
As part of its compliance, the firm named their Senior VP of Global Privacy and Product Legal Lindsey Finch as their new Data Protection Officer. Finch has been with Salesforce for a decade with previous stints at GE (Privacy Counsel), the Federal Trade Commission, and Homeland Security.
“The official DPO designation is a natural outgrowth of our existing programme. My team and I will continue to partner across the company to foster a culture of privacy – designing, implementing, and ensuring compliance with our global privacy programme, including ensuring that privacy is considered throughout the product development lifecycle,” said Finch. “The top theme I’m hearing is that our customers are using the GDPR as an opportunity to focus on their privacy practices and putting their customers—oftentimes end-consumers—at the center of their businesses. The GDPR is a complex law, but putting the individuals to whom the personal data relates at the forefront, and focusing on their expectations and preferences, is a great starting point for compliance with the GDPR and other privacy laws.”
Finch described Salesforce’s approach to GDPR compliance:
“We started by kicking off a thorough review to ensure compliance across the company. The GDPR is an incredibly rich document—99 articles and 173 recitals across 88 pages! Our Privacy team broke this down into key principles and worked closely with our Technology & Products organization to review our compliance. We found that we were already in a really great place,
Since then, a lot of the work we’ve been doing has been to document how our customers can use our services to comply with some of the key GDPR principles, which we’ve published on our GDPR website. There is no finish line when it comes to GDPR compliance. While Salesforce currently offers the tools for our customers to comply with the GDPR, we will continue to release new innovations that help our customers achieve compliance success.”
Salesforce CMO Simon Mulcahy echoed Benioff and Finch at the Salesforce World Tour event in London last week. Mulcahy stated that many companies simply view GDPR as a compliance issue and nuisance, not an opportunity to align company interests with customer desires. “It is a compliance issue, but it’s also a phenomenal opportunity to give your customers what they want. What they want is to know that when they give you their data, you’re looking after it appropriately.”
“Benioff is right that we will need some regulation and I can’t see how we can set two standards–EU and US–so we’ll likely need to adopt what the EU has done or risk chaos. This also fits well into the narrative of the information utility. GDPR is another driver sending us toward utility formation for the information industry.”
- Dennis Pombriant, Principal Beagle Research
Larry Augustin, CEO of SugarCRM noted that firms have been lax in their privacy and cyber security processes saying that self-regulation has proven to be insufficient with “too many incidents.”
“Data privacy issues are not going to go away. People are thinking a lot here now about GDPR, because Facebook, Twitter, and all of these issues keep coming. And Experian in the US, about managing personal information related to credit card data… there’s just a constant barrage of issues around data privacy and personal information,” continued Augustin. “Everyone has to address it, whether it’s in the context of GDPR or the next thing that’s going to come along. There is definitely a heightened awareness and interest.”
SugarCRM has built a data privacy manager into its CRM as a “command center” for the data privacy officer.
In my discussions with clients. they all admit to the regulations being a muddle that initially adds risk to their business models. The penalties are draconian, but the compliance requirements are ambiguous, particularly for B2B firms. As such, we are likely to be hearing about issues concerning GDPR compliance requirements over the next few years.