Share with your friends

The new landscape of privacy: a balancing act of customer expectations and GDPR

The new landscape of privacy

Companies know more about their consumers than ever before.


Related content


The digital economy has allowed organizations to collect more information about their customers than ever before. During the last decade, companies are also starting to see the possibilities in terms of enhancing customer experience, customer targeting, and product placement. Digitalization and large scale analysis becomes more and more accessible for every business, leading to an increase of customer data collection.

Customers generally understand that their data is being collected by the organizations they deal with on a daily basis. However, if the customer would become aware of the fact that the organization is using their data in a number of unknown ways, personal data collection risks alienating consumers and 'creeping them out'.

In Europe companies will be facing several realities in the coming months that will have a serious impact on digital privacy, one of the most prominent in this sphere being the General Data Protection Regulation (GDPR) which enters into force on the 25th of May 2018.

The General Data Protection Regulation

GDPR aims to help tackle some of the fears consumers have about how their data is being used. In a recent study by KPMG, we already see that 55% of customers have decided not to make an online purchase based on privacy concerns, and less than 20% are happy to disclose information on their online search history, income, location, address or medical records. It is issues like these that the GDPR aims to tackle by helping to stimulate the Digital Single Market in the EU by creating trust and legal certainty in the online environment. It is clear that the GDPR establishes a modern and harmonized data protection framework strengthening the rights of the EU citizen’s.

What does this mean for companies?

Companies are facing two-sides of the same issue. On one hand, they have to look to their customers. This means understanding consumers’ sensitivities around the use of their personal data is central to establishing and maintaining trust between consumer and company.

For companies seeking to use consumer data to personalize their marketing and services to the individual, build brand loyalty and develop better products, it is important they understand that although opinions on privacy vary around the globe, it is clear that, more than anything, consumers value privacy over convenience.

On the other hand, GDPR brings a new element to customer trust. The boundaries now contain a legal component. For example, new types of data will now be considered personal data, such as biometric data, and companies will have to look at how they are currently handling this data. As companies begin to adapt their privacy strategies to align with customers’ needs, they also need to start adjusting day-to-day operations in order to take into account the new rights of the individual, such as the provision of information or the right to be forgotten.

Security breaches and accountability

The GDPR also brings a new reality in the way companies should handle data breaches. Most companies today are aware that the question is no longer hypothetical; that it is no longer a question of if, but when they will face a cyber attack. However, when it happens will they be able to respond in time?

With the arrival of the GDPR companies will be expected to report the attack as soon as possible, and no later than 72 hours after discovery. Inaccurate or late reporting could even mean fines and penalties for the organization.

Companies do not have the luxury of being unprepared in facing a cyber threat. The first 48 hours after the incident are crucial, and so it is important that the organization can immediately take the right steps. "For businesses, it is essential to know what skills they possess internally and externally to quickly react. When you are faced with a cyber attack, it is too late to start negotiating a contract with a third party, "says Benny Bogaerts, Director of Cyber Security and Privacy at KPMG in Belgium.

Where to begin?

All of this combined makes it an ideal time for companies and organizations to look at their cyber strategy and practices. An assessment of current data policies, security defenses in place, and response plans is a good starting point for any company. 

More importantly, companies need to use the current momentum provided by the changing regulatory landscape to strengthen their privacy across the board and turn new strategies into advantages. Cyber security and privacy will only become more important as the Internet of Things grows, and as new innovations enter the market place. “This is the landscape that should be used to bolster a company’s privacy now at the starting gate rather than scrambling to catch up down the road,” says Benny Bogaerts Director of Cyber Security and Privacy at KPMG in Belgium.

© 2020 KPMG Central Services, a Belgian Economic Interest Grouping ("ESV/GIE") and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved. 

For more detail about the structure of the KPMG global organization please visit

Connect with us


Want to do business with KPMG?


loading image Request for proposal