Any organizations sick of their big data governance and customer-first initiatives falling by the wayside can rejoice that by some point next year, they will get their acts together. They’ll pretty much have to, since any company that does business in Europe could face a penalty of four percent of total revenue for breaching the new General Data Protection Regulation.

Jokes aside, many fear that GDPR will take the wind from their sales just as they are beginning to monetize big data; however, they must start practically preparing for it and looking at the upside, says Jessica Douglas, executive partner of financial services at IBM Corp.

Douglas participated in a special panel on GDPR in Germany this week along with John Bowman, senior principal at Promontory Financial Group, an IBM Company; Richard Hogg, global GDPR and governance offerings evangelist at IBM; and Rob Langhorst, associate partner of global business services at IBM.

The panel was held at the IBM Fast Track Your Data event and moderated by Seth Dobrin, vice president and chief data officer at IBM Analytics.

Douglas leads IBM’s GDPR task force in the United Kingdom and Ireland where she is encountering the whole gamut of attitudes toward the new legislation.

“I think we’ve got ostriches, we’ve got hares and we’ve got tortoises, and we’ve got some organizations that think they’re hares,” she said. Ideally, a company would be a hare, making good time to meet the GDPR live date next May, having gotten an early start last year or even earlier.

“The ostriches are the guys who are saying, ‘Oh, does this really have anything to do with me? Can I please kind of not think about this now and maybe when it comes up later, I’ll deal with it then?'” she said.

Granted, there are some lines on the GDPR that justify this reluctance. “Seventy-two-hour breach responses — that’s going to be quite a tight deadline for a lot of organizations to be able to meet,” Bowman said.

The new regulations around consent to use personal data are perhaps the scariest items of the GDPR. Consent is one of six bases for processing data in the legislation, Bowman explained.

The GDPR expands the very definition of personal data, according to Hogg. The term PII (personally identifiable information) familiar to Americans generally refers to items that link directly back to individuals, like Social Security and bank account numbers.

“And then [Americans] consider identifying data from devices like IP addresses as not personal information — which is very much not the case with GDPR,” Hogg said. The US  Federal Trade Commission is now revising its definition of PII to include indirectly identifying information like IP addresses to sync up with GDPR, he added.

What’s more, individuals must grant consent to use personal data affirmatively — not implicitly to an organization burying an opt-out option in the fine print, as is so often the case now.

Speaking of opting out, consumers must be allowed to withdraw their data as easily as they gave it in the first place, Bowman stated.

A win-win after all?

This might seem onerous at first, but it could pay for both consumers and businesses in the end. For one thing, businesses can start using privacy and opt-out policies as a competitive advantage.

“If you know what the organization is doing with your information and what information you have, and you have the ability to change that at any point, you’ve got more trust and faith in them and you may end up sharing more information with them,” Hogg said.

And there is incentive even for consumers to share their data as it becomes a portable asset, according to Bowman. “There may be some economic benefit which an individual can gain from porting their data and maybe sharing it with other organizations or even asking one controller to share it with another controller directly,” he said.

Maybe the most useful way for businesses to look at GDPR is as a kick in the pants toward policies they ought to have in place anyway. Many things required by GDPR, like consent management, complete lineage, provenance, data and metadata analysis have typically been underfunded in enterprises, according to Dobrin.

GDPR brings these and customer-first approaches to the front burner, like it or not. “Four percent of your total revenue per incident — boy, that’s a big motivator. That surely makes justification a lot easier,” he said.

“It can become a step toward really becoming a data-driven company,” Langhorst said.

The big ‘how?’

The recommended first step to compliance for businesses is to start gleaning intelligence on all their data, Hogg pointed out. “The burning issue I get often from chief privacy officers and CSOs [chief security officers], is, ‘I have no idea where my personal data is in the business. Please help me find it,'” he said.

Companies must apply tools to first gain visibility of their data and start setting some policies around it, Hogg advised.

Realizing the heft of this task, IBM partners with many other vendors to build solutions for different customers. “We recognize that, as companies, you have businesses to run and you’re not going to replace your entire stack to become ready for GDPR,” Dobrin said.

IBM has put significant effort into making its cloud GDPR compliant. “We had to get it ready for ourselves; it’s ready for our clients as well. So you can move your data to our cloud and be ready for GDPR more rapidly if you need to, so it’s almost a GDPR as a service kind of model,” Dobrin concluded.

Stay tuned for the complete video interview below, and be sure to check out more of SiliconANGLE’s and theCUBE’s independent editorial coverage of the IBM Fast Track Your Data event. (* Disclosure: TheCUBE is a paid media partner for IBM Fast Track Your Data. Neither IBM nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE