GDPR – The turning point for data privacy?

How do investors need to think about the impact of today’s changes on companies?

The internet, artificial intelligence, connected devices and augmented reality have transformed how businesses collect, use and monetise data.  Across e-commerce platforms and websites, online consumers receive targeted ads based on their location, browsing history or other data. In insurance, potential customers may be offered discounted health insurance premiums if they use fitness trackers. These devices then enable insurance companies to monitor a person’s habits and provide ongoing assessment of their lifestyle, activity levels and thus risk. Or consider connected cars, which are collecting data points on the car – location, speed, capacity utilisation – and on the potential users of the car – usual commute, planned trips – in order to improve safety and convenience (e.g. through routing and navigation systems).

The view on recent company earnings calls is that the future is going to be very different in a GDPR world

Until now, companies have been able to collect and process data without the need to obtain explicit consumer consent. But questions are increasingly being asked as to who really owns the data and what protections and rights consumers should have over the treatment of this sensitive and valuable information.
The tide is starting to turn in Europe with the introduction of the European General Data Protection Regulation (GDPR), which comes into force today, empowering consumers on data privacy. GDPR requires companies to ensure that consumers actively give consent to the collection of their personal data, having clearly understood how the data might be used. The regulation covers a wide spectrum of types of consumer personal data, including names, pictures, email addresses, phone numbers, addresses, bank accounts, IP addresses and social security numbers. Consumers will also have the right to opt out of data collection and request that companies erase all of their personal data.
This is obviously important for internet and media companies whose business models are reliant on using consumers’ online data to drive revenues from targeted advertising. The impact is still not clear, but it could potentially hinder ad targeting capabilities if consumers opt out of data sharing owing to concerns around privacy.
But for many other businesses too, the view on recent company earnings calls is that the future is going to be very different in a GDPR world. Some companies may have to reassess their business models if consumers perceive that the benefit of making their data available is unclear or that their privacy is being invaded. As consumers are given more rights over their data, all companies will need to build consumer trust on how their data is used and by ensuring data security.Investors should consider how companies are adapting to this new regulatory environment. There are several different areas within GDPR that need to be assessed. Unlike other more traditional areas of ESG, data is somewhat lacking; in part because there is no standard way of reporting compliance with GDPR regulation. To fully understand how a company is addressing this issue therefore requires active engagement and dialogue.
To begin with, investors should consider a company’s level of exposure to ‘personal data’. As we have already seen, it could mean that some companies are required to delete parts of their customer relationship management (CRM) database. For all companies, GDPR compliance will require the investment of time as well as cost.  On recent company earnings calls, estimates of the monetary investment needed in preparation for the legislation ranged from £1m to £5m (these figures include external consultants’ fees and also upgrades to IT systems). Under the legislation, companies will also need to ensure their IT architecture is ready for data portability, data erasure and new requirements to report a data breach within 72 hours. Europe lags the United States on security investment by around 50%, according to the International Data Corporation, and so GDPR could be a catalyst for incremental expenditure in Europe.
Non-compliance could have significant consequences. Data privacy and GDPR could be a material financial risk for investors, with failure to comply incurring fines of up to 4% of annual global revenue or €20m, whichever is higher. This is far above the level of recent fines we have seen for data breaches.  Stricter requirements on the use of data could also pose a risk to revenues. Companies will need to prove that they have a legal basis for collecting, retaining and using personal data, or that they have received clear and affirmative consent.
Investment in earning and maintaining consumer trust will be increasingly important for companies that wish to use and monetise consumer data.  Corporates will need to be aware of the ‘value exchange’ to ensure it is not tilted too heavily towards the company, as this could reduce consumers’ willingness to share data. 
For those that get it right, the opportunities presented by evolving technologies and consumer preferences are as attractive as ever.
The view on recent company earnings calls is that the future is going to be very different in a GDPR world

Victoria Irving is Vice President of SRI and Jessica Alsford is Head of Sustainability Research, both at Morgan Stanley.