The cost of complying with the European Union's General Data Protection Regulation might seem like something best deferred until it enters force in 2018 -- but working on compliance just might boost profit, not reduce it.
The GDPR, the EU's latest rewrite of its data privacy laws, doesn't enter effect until May 25, 2018, but already IT companies are talking up their software and services for complying with the new rules.
It's not just an issue for EU enterprises: Any company processing the personal information of EU citizens is affected.
What those companies can do with that information is more tightly controlled than before. Collection and processing of sensitive information is only allowed if the person concerned opts in, unless the information processing is necessary to fulfill a contract or to protect the person's vital interests.
That contract fulfillment provision isn't a catch-all, either: If someone wants to buy a pair of sunglasses online, you can't insist that they tell you their shoe size, for example, before accepting their order. The data collection has to be necessary.
Businesses not only have to protect their customers' data, they have an obligation to tell them if they slip up. Data breaches that pose a significant risk to those concerned must be disclosed within 72 hours.
The cost of not complying could be high: a fine of up to €20 million (US$22 million) or 4 percent of worldwide revenue, not to mention the resulting decline in customer confidence.
One of the GDPR's requirements would be a sensible first step for many businesses even if it weren't mandated: For companies to classify all the data they hold that falls under the new regulation.
That one step could be a money-maker, rather than a money pit, according to Joe Garber, Hewlett Packard Enterprise's global vice president of marketing for information management and governance software.
"Once you get your data in order, once you get insight into your information, then you can mine that information for value, strategic information about what your customers really want."
There's also scope for cost savings on a number of fronts.
By moving their data into a central, searchable repository, businesses may find they can retire older applications. "We've had customers shutting down thousands of apps," Garber said.
And in examining that data, they may find they're better off not storing it at all. "Some percentage of that information won't have value for the organization, and at $20 per gigabyte for its lifecycle, it has a cost."
So is evaluating which information falls under the GDPR going to be a make-work project, as thousands of terminal operators repeatedly choose to "protect," "ignore" or "delete" as they click through customer records and email files?
Sign up for CIO Asia eNewsletters.