<!DOCTYPE html><html dir="ltr" lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1.0"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><script async="" src="//sandbox.piano.io/xbuilder/experience/load?aid=cJo8WPy0su"></script><script></script><script>var McKinsey = {"ArticleTemplate":"Legacy","DaysSinceCMSPublication":"722","DisplayDate":"7/31/2018","OriginalPublicationDate":"7/31/2018","SitecoreId":"{87B03051-0343-469A-BD0B-565CB5BE8F3E}","Title":"Data privacy: What every manager needs to know","ArticleType":"Podcast","ContentType":"Article","ServerNumber":"","IsPageRestricted":"true","UserID":"","RegistrationDate":"","LoginStatus":"logged_out","JobTitle":"","CompanyName":"","blogTags":null,"enableRegWall":false}; var pageMetaInformation = {"CurrentLanguage":"en","AlternateLanguages":[{"DisplayName":"English","LanguageCode":"en","Url":"/capabilities/risk-and-resilience/our-insights/data-privacy-what-every-manager-needs-to-know"}],"NavigationLink":"capabilities","ActiveItemId":"{3AD2CD7B-AFBF-4D20-8B18-D7D636A6AB49}","OfficeCode":"","MiniSiteId":"{7E1123A0-D44E-48D3-8D53-2EE9F8393F0D}"};</script><link rel="icon" href="/favicon.ico"/><link href="https://www.mckinsey.com/redesign/resources/css/styles-rc.css" rel="stylesheet"/><link rel="manifest" href="/manifest.json"/><link rel="dns-prefetch" href="//cdn.dynamicyield.com"/><link rel="dns-prefetch" href="//st.dynamicyield.com"/><link rel="dns-prefetch" href="//rcom.dynamicyield.com"/><link rel="dns-prefetch" href="//cdn.cookielaw.org"/><link rel="preconnect" href="//assets.adobedtm.com"/><link rel="preconnect" href="//connect.facebook.net"/><link rel="preconnect" href="//static.hotjar.com"/><link rel="preload" as="font" href="/next-static/fonts/bower/Bower-Bold.woff2" type="font/woff2" crossorigin=""/><link rel="preload" as="font" href="/next-static/fonts/mckinsey-sans/regular/McKinseySans-Regular.woff2" type="font/woff2" crossorigin=""/><link rel="preload" as="font" href="/next-static/fonts/mckinsey-sans/medium/McKinseySans-Medium.woff2" type="font/woff2" crossorigin=""/><link rel="preload" as="font" href="/next-static/fonts/mckinsey-sans/light/McKinseySans-Light.woff2" type="font/woff2" crossorigin=""/><link rel="preload" as="font" href="/next-static/fonts/mckinsey-sans/italic/McKinseySans-Italic.woff2" type="font/woff2" crossorigin=""/><link rel="preload" as="font" href="/next-static/fonts/mckinsey-sans/light-italic/McKinseySans-LightItalic.woff2" type="font/woff2" crossorigin=""/><link rel="preload" as="font" href="/next-static/fonts/mckinsey-sans/medium-italic/McKinseySans-MediumItalic.woff2" type="font/woff2" crossorigin=""/><meta name="apple-itunes-app" content="app-id=674902075"/><link rel="apple-touch-icon" sizes="57x57" href="/next-static/images/mck-touch-icon-57x57.png"/><link rel="apple-touch-icon" sizes="72x72" href="/next-static/images/mck-touch-icon-72x72.png"/><link rel="apple-touch-icon" sizes="114x114" href="/next-static/images/mck-touch-icon-114x114.png"/><link rel="apple-touch-icon" sizes="144x144" href="/next-static/images/mck-touch-icon-144x144.png"/><link rel="apple-touch-icon" sizes="152x152" href="/next-static/images/mck-touch-icon-152x152.png"/><link rel="apple-touch-icon" sizes="167x167" href="/next-static/images/mck-touch-icon-167x167.png"/><link rel="apple-touch-icon" sizes="180x180" href="/next-static/images/mck-touch-icon-180x180.png"/><meta content="no-referrer-when-downgrade" name="referrer"/><meta content="McKinsey &amp; Company" property="og:site_name" name="site_name"/><meta content="Data privacy: What every manager needs to know" property="og:title" name="title"/><meta content="As companies begin to follow the principles of GDPR, the EU directive on data protection, they must better understand what personal information really is and how to manage it properly." property="og:description" name="description"/><meta content="https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/data-privacy-what-every-manager-needs-to-know" name="url" property="og:url"/><meta content="index,follow,all" name="robots"/><meta content="https://www.mckinsey.com/~/media/mckinsey/business%20functions/risk/our%20insights/data%20privacy%20what%20every%20manager%20needs%20to%20know/data-privacy-what-every_913017298_1536x1536.jpg" property="og:image" name="image"/><meta content="{87B03051-0343-469A-BD0B-565CB5BE8F3E}" name="sid"/><link href="https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/data-privacy-what-every-manager-needs-to-know" rel="canonical"/><meta content="Risk &amp; Resilience" name="practice-name"/><meta content="N11" name="practice-code"/><meta content="summary_large_image" name="twitter:card"/><meta content="@mckinsey" name="twitter:site"/><title>How GDPR is transforming data-protection strategies in business | McKinsey</title><meta content="Insights &amp; Publications" name="sections"/><meta content="Data privacy: What every manager needs to know" name="twitter:title"/><meta content="As companies begin to follow the principles of GDPR, the EU directive on data protection, they must better understand what personal information really is and how to manage it properly." name="twitter:description"/><meta content="Article" property="contenttype" name="contenttype"/><meta content="https://www.mckinsey.com/~/media/mckinsey/business%20functions/risk/our%20insights/data%20privacy%20what%20every%20manager%20needs%20to%20know/data-privacy-what-every_913017298_1536x1536.jpg?mw=677&amp;car=42:25" name="twitter:image"/><meta content="Data privacy: What every manager needs to know" name="twitter:image:alt"/><meta content="public" name="accesslevel"/><meta content="false" name="excludefromclientlink"/><meta content="podcast" name="articletype"/><meta content="2018-07-31T00:00:00Z" name="itemdate"/><meta content="Risk &amp; Resilience | Podcast | July 31, 2018" name="searchresults-tags"/><script type="application/ld+json">{"@context":"https://schema.org","@type":"Article","url":"https://www.mckinsey.com","publisher":{"@type":"Organization","name":"McKinsey & Company","logo":{"@type":"ImageObject","url":"https://www.mckinsey.com/~/media/Thumbnails/Mck_Logo"}},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/data-privacy-what-every-manager-needs-to-know"},"datePublished":"2018-07-31T20:57:00Z","dateCreated":"2018-08-03T17:12:26Z","dateModified":"2018-07-31T00:00:00Z","heading":"Data privacy: What every manager needs to know","image":"https://www.mckinsey.com/~/media/mckinsey/business%20functions/risk/our%20insights/data%20privacy%20what%20every%20manager%20needs%20to%20know/data-privacy-what-every_913017298_1536x1536.jpg","description":"As companies begin to follow the principles of GDPR, the EU directive on data protection, they must better understand what personal information really is and how to manage it properly."}</script><meta name="next-head-count" content="57"/><meta name="next-font-preconnect"/><script src="" id="gtag-manager" data-nscript="beforeInteractive"> (function(w, d, s, l, i) { w[l] = w[l] || []; w[l].push({ 'gtm.start': new Date().getTime(), event: 'gtm.js' }); var f = d.getElementsByTagName(s)[0], j = d.createElement(s), dl = l != 'dataLayer' ? '&l=' + l : ''; j.async = true; j.src = 'https://www.googletagmanager.com/gtm.js?id=' + i + dl; f.parentNode.insertBefore(j, f); })(window, document, 'script', 'dataLayer', 'GTM-NJ7TLQ2W'); </script><script src="" id="onetrust-wrapperchecker" data-nscript="beforeInteractive">function OptanonWrapperChecker() {}</script><link rel="preload" href="/_next/static/css/b4162f37e49d8081.css" as="style"/><link rel="stylesheet" href="/_next/static/css/b4162f37e49d8081.css" data-n-g=""/><link rel="preload" href="/_next/static/css/263b89d6f62640b6.css" as="style"/><link rel="stylesheet" href="/_next/static/css/263b89d6f62640b6.css" data-n-p=""/><link rel="preload" href="/_next/static/css/b9ab7b649e8aa36e.css" as="style"/><link rel="stylesheet" href="/_next/static/css/b9ab7b649e8aa36e.css"/><link rel="preload" href="/_next/static/css/72fc56b1fbe032aa.css" as="style"/><link rel="stylesheet" href="/_next/static/css/72fc56b1fbe032aa.css"/><link rel="preload" href="/_next/static/css/5e45d445fc213154.css" as="style"/><link rel="stylesheet" href="/_next/static/css/5e45d445fc213154.css"/><noscript data-n-css=""></noscript><script defer="" nomodule="" src="/_next/static/chunks/polyfills-5cd94c89d3acac5f.js"></script><script src="https://cdn.cookielaw.org/scripttemplates/otSDKStub.js" data-document-language="true" type="text/javascript" data-domain-script="915b5091-0d7e-44d2-a8c4-cf08267e52fe" defer="" data-nscript="beforeInteractive"></script><script defer="" src="/_next/static/chunks/281.b4ac7d01a30ec2f7.js"></script><script defer="" src="/_next/static/chunks/6731.9bccca8a7edb0704.js"></script><script defer="" src="/_next/static/chunks/2354.05223bcb67691d75.js"></script><script defer="" src="/_next/static/chunks/2991.4cb0aa2f9f53e653.js"></script><script defer="" src="/_next/static/chunks/8391.9f0f27f73b780083.js"></script><script src="/_next/static/chunks/webpack.a343cb3226d712c3.js" defer=""></script><script src="/_next/static/chunks/framework.62bbe2ca94854a85.js" defer=""></script><script src="/_next/static/chunks/main.51e10588adc949ca.js" defer=""></script><script src="/_next/static/chunks/pages/_app.efd8da288ba65325.js" defer=""></script><script src="/_next/static/chunks/3b1baa31.cd6cdac6158774d8.js" defer=""></script><script src="/_next/static/chunks/7d0bf13e.8f3383787afb45af.js" defer=""></script><script src="/_next/static/chunks/1354.c34ddc4bd7c986c8.js" defer=""></script><script src="/_next/static/chunks/408.f1e6dcef6986b377.js" defer=""></script><script src="/_next/static/chunks/pages/%5B%5B...path%5D%5D.0e7d31a1f4d90875.js" defer=""></script><script src="/_next/static/jIkMSrTx4uqE8V-HInFJO/_buildManifest.js" defer=""></script><script src="/_next/static/jIkMSrTx4uqE8V-HInFJO/_ssgManifest.js" defer=""></script><script src="/_next/static/jIkMSrTx4uqE8V-HInFJO/_middlewareManifest.js" defer=""></script> <script>(window.BOOMR_mq=window.BOOMR_mq||[]).push(["addVar",{"rua.upush":"false","rua.cpush":"false","rua.upre":"false","rua.cpre":"false","rua.uprl":"false","rua.cprl":"false","rua.cprf":"false","rua.trans":"","rua.cook":"false","rua.ims":"false","rua.ufprl":"false","rua.cfprl":"false","rua.isuxp":"false","rua.texp":"norulematch","rua.ceh":"false","rua.ueh":"false","rua.ieh.st":"0"}]);</script> <script>!function(a){var e="https://s.go-mpulse.net/boomerang/",t="addEventListener";if("False"=="True")a.BOOMR_config=a.BOOMR_config||{},a.BOOMR_config.PageParams=a.BOOMR_config.PageParams||{},a.BOOMR_config.PageParams.pci=!0,e="https://s2.go-mpulse.net/boomerang/";if(window.BOOMR_API_key="TURRK-8ADJT-WDUC5-TC32E-KV9ND",function(){function n(e){a.BOOMR_onload=e&&e.timeStamp||(new Date).getTime()}if(!a.BOOMR||!a.BOOMR.version&&!a.BOOMR.snippetExecuted){a.BOOMR=a.BOOMR||{},a.BOOMR.snippetExecuted=!0;var i,_,o,r=document.createElement("iframe");if(a[t])a[t]("load",n,!1);else if(a.attachEvent)a.attachEvent("onload",n);r.src="javascript:void(0)",r.title="",r.role="presentation",(r.frameElement||r).style.cssText="width:0;height:0;border:0;display:none;",o=document.getElementsByTagName("script")[0],o.parentNode.insertBefore(r,o);try{_=r.contentWindow.document}catch(O){i=document.domain,r.src="javascript:var d=document.open();d.domain='"+i+"';void(0);",_=r.contentWindow.document}_.open()._l=function(){var a=this.createElement("script");if(i)this.domain=i;a.id="boomr-if-as",a.src=e+"TURRK-8ADJT-WDUC5-TC32E-KV9ND",BOOMR_lstart=(new Date).getTime(),this.body.appendChild(a)},_.write("<bo"+'dy onload="document._l();">'),_.close()}}(),"".length>0)if(a&&"performance"in a&&a.performance&&"function"==typeof a.performance.setResourceTimingBufferSize)a.performance.setResourceTimingBufferSize();!function(){if(BOOMR=a.BOOMR||{},BOOMR.plugins=BOOMR.plugins||{},!BOOMR.plugins.AK){var e=""=="true"?1:0,t="",n="bdpnbeqxgy4diz5tdu6q-f-f94141395-clientnsv4-s.akamaihd.net",i="false"=="true"?2:1,_={"ak.v":"39","ak.cp":"19387","ak.ai":parseInt("285213",10),"ak.ol":"0","ak.cr":3,"ak.ipv":4,"ak.proto":"http/1.1","ak.rid":"d10dfc8","ak.r":37669,"ak.a2":e,"ak.m":"a","ak.n":"essl","ak.bpcip":"8.222.208.0","ak.cport":39282,"ak.gh":"23.53.33.206","ak.quicv":"","ak.tlsv":"tls1.2","ak.0rtt":"","ak.0rtt.ed":"","ak.csrc":"-","ak.acc":"reno","ak.t":"1739791677","ak.ak":"hOBiQwZUYzCg5VSAfCLimQ==Ga+RIv+AZ++fRA6oA2BxmT9/TKQYTRmCUhg/olLvUvP4H18rlPx8zYja1/ge1SDuc7fRPkKV1n/YuOyP1dLMPhI+qYoYL5PX4ZEv681bKJwg8PkyXfFPc4P/6lLlq6VnSjA7WEcTeU5VSHT3Oo+KxO6W9rs10d1cOQPsvkeiF1KgISB1dMTTIxuuzpVW4v4fiIWiBUnUVYp6RBc1F9sYj3J+FxjdZHlBcWCYPThMVGk+8vECfurj/IpZ73Nyxyuq0bpwDQVJ/lVuNEX1ktHeNDdlYPwBIresfcIuPqDBWOqCmdwO7i3sM3Ld1ubGOT1PXSmIFiAxLGPMdRO+Lgbhto+B0Xp3oaFC0/aMTLml2BtEKK8Vl5YSqXo6dJQGnbI86FD28v4oACO44qc8BpAhxZ/eGwPD6KTJhqhoggIzMAk=","ak.pv":"597","ak.dpoabenc":"","ak.tf":i};if(""!==t)_["ak.ruds"]=t;var o={i:!1,av:function(e){var t="http.initiator";if(e&&(!e[t]||"spa_hard"===e[t]))_["ak.feo"]=void 0!==a.aFeoApplied?1:0,BOOMR.addVar(_)},rv:function(){var a=["ak.bpcip","ak.cport","ak.cr","ak.csrc","ak.gh","ak.ipv","ak.m","ak.n","ak.ol","ak.proto","ak.quicv","ak.tlsv","ak.0rtt","ak.0rtt.ed","ak.r","ak.acc","ak.t","ak.tf"];BOOMR.removeVar(a)}};BOOMR.plugins.AK={akVars:_,akDNSPreFetchDomain:n,init:function(){if(!o.i){var a=BOOMR.subscribe;a("before_beacon",o.av,null,null),a("onbeacon",o.rv,null,null),o.i=!0}return this},is_complete:function(){return!0}}}}()}(window);</script></head><body><noscript><iframe title="Google Tag Manager" src="https://www.googletagmanager.com/ns.html?id=GTM-NJ7TLQ2W" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript><div id="__next" data-reactroot=""><div class="Layout_mck-c-skipbar__K684J"><a data-component="mdc-c-link" href="#skipToMain" class="mdc-c-button___U4iY2_8032924 mdc-c-button--primary___Ed-lT_8032924 mdc-c-button--size-medium"><span class="mdc-c-link__label___Pfqtd_8032924">Skip to main content</span></a></div><main class="mck-o-container--outer" data-layer-region="body" role="main" id="skipToMain"><div data-component="mdc-c-module-wrapper" data-module-theme="dark" data-module-background="deep-blue" data-module-category="AnchoredHero" class="ArticleDefault_mck-c-article-default__SfYQE"><style></style><div data-component="mdc-c-background-image" class="mdc-c-bg-image___GJdv1_8032924 background-image-article-default ArticleDefault_mck-c-article-default__parallax-container__fZ7Iq"></div><div class="ArticleDefault_mck-c-article-default__gradient__Uu21n"></div><div class="ArticleDefault_mck-c-article-default__wrapper-content__XOe9C"><div class="mck-o-container"><div class="mck-o-container--wrapped mck-o-container--mobile-spacing mdc-u-grid mdc-u-grid-col-lg-12"><div data-component="mdc-c-content-block" class="mdc-c-content-block___7p6Lu_8032924 mdc-u-grid-col-lg-start-1 mdc-u-grid-col-lg-span-10"><div><h1 data-component="mdc-c-heading" class="mdc-c-heading___0fM1W_8032924 mdc-u-ts-2 mck-u-animation-slide-down ArticleDefault_mck-c-article-default__heading__bv6rL"><div>Data privacy: What every manager needs to know</div></h1></div><div data-component="mdc-c-description" class="mdc-c-description___SrnQP_8032924 mdc-u-ts-10 mck-u-animation-blur-in-800 ArticleDefault_mck-c-article-default__description__sjoe9"><div><time datetime="2018-07-31T00:00:00Z">July 31, 2018</time> | Podcast</div></div></div></div></div></div></div><div class="mck-o-container"><div class="mck-o-container--wrapped mck-o-container--mobile-spacing mdc-u-grid mdc-u-grid-gutter-xxl"><section data-layer-region="article-body-header" class="mdc-u-grid mdc-u-grid-col-md-12 mck-u-animation-blur-in-400 byline-share-container"><div class="mdc-u-grid-col-md-start-2 mdc-u-grid-col-md-end-7 mdc-u-grid-col-lg-start-3 mdc-u-grid-col-lg-end-8 mdc-u-ts-10"></div></section><section class="mdc-u-grid mdc-u-grid-col-md-12 mck-u-animation-blur-in-400"><div class="mdc-u-grid-col-md-start-2 mdc-u-grid-col-md-end-12 mdc-u-grid-col-lg-start-3 mdc-u-grid-col-lg-end-11"><div data-component="mdc-c-description" class="mdc-c-description___SrnQP_8032924 mdc-u-ts-5"><div class="mck-u-links-inline">As companies begin to follow the principles of GDPR, the European Union directive on data protection, they must better understand what personal information really is and how to properly manage it.</div></div></div></section><main data-layer-region="article-body" class="mdc-u-grid mdc-u-grid-gutter-xxl"><div class="mdc-u-grid mdc-u-grid-col-1 mdc-u-grid-col-md-12"><div class="mdc-u-grid-col-md-start-2 mdc-u-grid-col-md-end-12 mdc-u-grid-col-lg-start-3 mdc-u-grid-col-lg-end-11"><div class="mdc-o-content-body mck-u-dropcap"><div data-component="mdc-c-module-wrapper" data-module-theme="default" data-module-background="transparent" data-module-category="" class="DownloadsSidebar_mck-c-downloads-sidebar__iFmyt mck-o-xs-right-span"><div data-layer-region="downloads-right-rail"><h3 data-component="mdc-c-heading" class="mdc-c-heading___0fM1W_8032924 mdc-c-heading--title___5qyOB_8032924 mdc-c-heading--border___K8dj3_8032924"></h3><div><div data-component="mdc-c-link-container" class="mdc-c-link-container___xefGu_8032924"><a data-component="mdc-c-link" href="#/download/%2F~%2Fmedia%2Fmckinsey%2Fbusiness%20functions%2Frisk%2Four%20insights%2Fdata%20privacy%20what%20every%20manager%20needs%20to%20know%2Fdata-privacy-what-every-manager-needs-to-know-web-final.pdf%3FshouldIndex%3Dfalse" class="DownloadsSidebar_mck-c-downloads-sidebar__download-link__fPqFQ mdc-c-link___lBbY1_8032924" target="_self" data-layer-event-prefix="Download Link" data-layer-action="click" data-layer-report-type="" data-layer-file-name="data-privacy-what-every-manager-needs-to-know-web-final" data-layer-report-name="data-privacy-what-every-manager-needs-to-know-web-final&gt;"><span data-component="mdc-c-icon" class="mdc-c-icon___oi7ef_8032924 mdc-c-icon--size-md___yi5fA_8032924 mck-download-icon"></span><span class="mdc-c-link__label___Pfqtd_8032924"> (PDF-271 KB)</span></a></div></div></div></div> <p><strong>In this episode</strong> of the <em>McKinsey Podcast</em>, McKinsey partner Kayvaun Rowshankish and associate partner Alexis Trittipo speak with Simon London about the European Union’s newly implemented General Data Protection Regulation (GDPR), what it means, who it affects, and how companies can better manage personal data.</p> <!-- --> <h4>Podcast transcript</h4> <p>Hello, and welcome to this edition of the <em>McKinsey Podcast</em>, with me, Simon London. Whatever business you’re in, like it or not, you’re in the data-privacy business. The data you collect on customers, employees, prospects, even visitors to your buildings or your websites is increasingly subject to rules and regulations. The new European data-protection directive, GDPR, is part of the story but it’s not the whole story by any means. Joining me today to discuss the issues are two McKinsey consultants who spend their time working with clients on exactly these issues related to data, analytics, technology, privacy, and risk. They are Kayvaun Rowshankish, who is a partner based in New York, and Alexis Trittipo, an associate partner, also based in New York. Kayvaun and Alexis, thanks very much for joining.</p> <p><strong>Alexis Trittipo:</strong> Absolutely. Excited to join you.</p> <p><strong>Kayvaun Rowshankish:</strong> Pleasure to be here.</p> <p><strong>Simon London:</strong> Data privacy: It feels like it’s becoming a general management topic. Data in general, but data privacy as part of that. This definitely feels like something that, if you are a general manager, certainly in marketing, in sales and technology, but probably a whole bunch of other areas too, you have to know about this.</p> <p><strong>Alexis Trittipo:</strong> As we look at organizations, across industries, personal data is managed at all levels of the organization. It’s not just a problem for the chief data officer or the chief information security office anymore.</p> <p>This is a problem for HR. It’s a problem for your customer-service representatives. It really spans the organization in terms of who touches personal data and who will need to, quite honestly, understand the regulations that are coming around.</p> <p><strong>Kayvaun Rowshankish:</strong> Every institution is heading in a direction where they are data-centric institutions. If you just take Amazon as an example. Sure, they stick physical products in the mail. But 90 percent of running their business is around data and data of individuals and data that represent the products that they manage. That’s true of most sectors now. The other thing that’s raising this to the management level is the fact that the scope of PII [personally identifiable information] is quite ambiguous. We might have thought of it previously as just a customer’s name, maybe their social security number, other information about their whereabouts.</p> <p>But now, because there’s so much sort of behavioral data that’s being captured, there are transactions and so on that are being captured, and multiple ways using advanced analytics to derive that information, it’s just become a much more complex and opaque space.</p> <p><strong>Simon London:</strong> One of the big talking points at the moment is that the European data-protection regulation, GDPR, went into effect at the end of May. I suspect that a lot of managers are only now getting to grips with the operational implications of that. There are probably a lot of institutions, frankly, still scrambling to get compliant. So, Kayvaun, could you give us a quick overview of the contours of GDPR?</p> <p><strong>Kayvaun Rowshankish:</strong> In simple terms, <a href="/capabilities/risk-and-resilience/our-insights/gdpr-compliance-after-may-2018-a-continuing-challenge">the directive aims to protect individuals</a>. And by “individuals,” the focus is European individuals. But that doesn’t mean the institutions out of Europe are exempt from this. European individuals travel, they have relationships with institutions outside of Europe, and there are third-party relationships with institutions that handle European individuals’ data that then bring the next layer of institutions into scope as well. There’s a pretty broad set of firms that are affected.</p> <p>What the directive aims to do, again, in fairly simple terms, is it forces these institutions to put structure and discipline around what PII, personally identifiable information, actually is, where it is, put more choice in the hands of the individuals who the PII relates to, so that they can decide if they even want you to have it, or how to manage it (see sidebar, “The GDPR: Key facts”).</p> <div data-component="mdc-c-module-wrapper" data-module-theme="light" data-module-background="lightest-grey" data-module-category="" data-module-gradient-position="bottom-right" class="mck-c-inline-module-container SideBar_mck-c-sidebar__bgimg-wrapper__Qj4Dt mck-o-sm-left-span SideBar_mck-c-sidebar__sidebar-wrapper__Dpjw2 SideBar_mck-c-sidebar__sidebar-wrapper--istablet__IQ6ii mck-u-screen-only mck-c-module-wrapper" data-layer-region="sidebar"><div class="SideBar_mck-c-sidebar__epoAm mck-o-md-center"><div class="SideBar_mck-c-sidebar__share-icons-wrapper__9gB_c"><div data-component="mdc-c-link-container" class="mdc-c-link-container___xefGu_8032924 mdc-c-link-container--display-column___X0HDD_8032924 SideBar_mck-c-sidebar__share-icons___eQy6"><div data-component="mdc-c-dropdown-menu" class="mdc-c-drop-down"><button data-component="mdc-c-button" aria-label="" type="button" id="button_id" class="mdc-c-button___U4iY2_8032924 mdc-c-button--ghost mdc-c-button--size-medium mdc-c-drop-down__rootmenu___yJzvz_8032924" aria-expanded="false" aria-haspopup="menu"><span data-component="mdc-c-icon" class="mdc-c-icon___oi7ef_8032924 mdc-c-icon--default___f-hQM_8032924 mdc-c-icon--size-md___yi5fA_8032924 mck-share2-icon"></span></button><div data-component="mdc-c-module-wrapper" data-module-theme="light" data-module-background="white" data-module-category="" class=""></div></div><button data-component="mdc-c-button" aria-label="Expandable Sidebar" type="button" id="button_id" class="mdc-c-button___U4iY2_8032924 mdc-c-button--ghost mdc-c-button--size-medium SideBar_mck-c-sidebar__toggle-btn__EL8iE" aria-expanded="false" data-layer-event-prefix="UI Item" data-layer-action="click" data-layer-category="sidebar" data-layer-subcategory="open" data-layer-text="open sidebar"><span data-component="mdc-c-icon" class="mdc-c-icon___oi7ef_8032924 mdc-c-icon--radial___y3csX_8032924 mdc-c-icon--size-xxl___cL3ZT_8032924 mck-plus-no-circle-icon"></span></button></div></div><div class="SideBar_mck-c-sidebar__content-outer__UdWCq"><div class="SideBar_mck-c-sidebar__eyebrow__5GSEq"></div><div class="SideBar_mck-c-sidebar__content__raEwe"><h2 data-component="mdc-c-heading" class="mdc-c-heading___0fM1W_8032924 mdc-u-ts-3 SideBar_mck-c-sidebar__content-heading__NJekY"><div>The GDPR: Key facts</div></h2><div class="SideBar_mck-c-sidebar__content-description__4p9iI mdc-u-ts-7"><div class="mdc-o-content-body"><p>The scope of the European Union General Data Protection Regulation (GDPR) is broad, covering personal information that can be linked to an identifiable individual (such as national identification number, employee authentication, payment-transaction history, and date of birth) in any format (structured or unstructured) and in any medium (online, offline, or backup storage).</p> <p>The regulation is designed to protect the privacy of EU residents by introducing stringent consent requirements, data-subject rights, and obligations on organizations that gather, control, and process data. Its core requirements cover the following:</p> <p><strong>Record of activities.</strong> Organizations should maintain a record of data-processing activities and be ready to present it to the regulator at any time.</p> <p><strong>Legal basis for data.</strong> All data processing should have a legal basis, such as the consent of the data subject or the need to fulfill a regulatory or legitimate business purpose.</p> <p><strong>Rights of data subjects.</strong> Data subjects are imbued with rights that organizations must honor such as the right to be forgotten (or, more accurately, to data erasure), the right to data portability, the right to object, the right to revoke consent, and the right to restrict processing.</p> <p><strong>Security.</strong> Organizations should protect data through a set of controls, such as encryption or “pseudonymization,” and have effective operational procedures and policies for handling data safely.</p> <p><strong>Third-party management.</strong> Vendors and suppliers, including outsourcing partners, should be required to protect personal data and should be monitored to ensure that they do so.</p> <p><strong>Privacy by design.</strong> Data protection should be included in the business-as-usual processes such as with any organization planning a new technology, product, or service from the beginning of the development process.</p> <p><strong>Breach notification.</strong> Data breaches likely to result in high risk to individuals’ rights and freedoms should be reported to the authorities within 72 hours and subsequently to the data subjects as well in certain cases.</p> <p>The new regulation is enforced via national supervisory authorities within the European Union that are granted wide-ranging enforcement powers and sanctions, such as the power to ban data processing. The fines for failure to comply are high, as much as 4 percent of annual worldwide revenues. The GDPR also allows individuals to seek civil actions (including class-action lawsuits) against organizations that violate their data-protection rights.</p> <p>While GDPR is the most expansive regulation of its kind to date, there has also been movement in other geographies to increase protections around personal data. In the United States, for example, the state of California recently passed the California Consumer Privacy Act of 2018, which holds organizations to similar standards and imbues data subjects with similar rights.</p></div></div></div></div></div></div> <p>It forces those institutions to minimize how much of that data they actually store [and process], puts controls around the PII that they store and process, and then enforces a set of governance and processes around that data, which includes accountability models like putting a privacy officer in place as well as a set of processes to interact with regulators and individuals either in terms of managing their rights or responding to breaches and other types of events in this space.</p> <p>Then lastly, the other thing that this regulation does is it puts in place some fairly severe penalties if you get it wrong. Quite explicitly, there’s a penalty of up to 4 percent of global revenues, so you can be fined anything up to 4 percent of global revenues if you get this wrong. But it also puts in place, because this is going to become a legal requirement, the opportunity for individuals to take civil action against those institutions if they get it wrong.</p> <p><strong>Alexis Trittipo:</strong> <a href="/capabilities/risk-and-resilience/our-insights/the-eu-data-protection-regulation-compliance-burden-or-foundation-for-digitization">GDPR is the first large-scale regulation</a> of this size that’s really aimed at protecting individual rights around personal data. The control that it aims to give individuals over their data in things like, I can have it deleted, I can ask to see what a company has on me, at this scale, is unprecedented. It’s a very interesting test case to see how corporations will react. We’ll see over time, both how this plays out in Europe, but also how this plays out globally.</p> <p><strong>Simon London:</strong> Is it right to say that even though GDPR is from Europe, certainly for any large global organization, it becomes the de facto global standard?</p> <p><strong>Alexis Trittipo:</strong> It’s hard to say global standard because what we’re seeing right now as folks are looking to implement it is they’re largely implementing it for their European-based operations and where they touch EU-based customers and clients.</p> <p>But most organizations are thinking about, “If I have to have this level of controls, this level of protection, this level of processes around personal data for Europe, how do I think about that more broadly? And how do I expand that?” And I don’t think organizations are there yet. But as we think about it, this will be, globally, the highest standard around controlling and keeping personal data safe.</p> <div data-component="mdc-c-module-wrapper" data-module-theme="default" data-module-background="transparent" data-module-category="" class="mck-c-disruptor1up mck-o-md-center mck-u-inline-module-border-top mck-u-inline-module-border-bottom mck-u-screen-only" data-layer-region="disruptor-1up"><div class="mdc-u-grid mdc-u-grid-gutter-md mdc-u-grid-col-lg-12 mdc-u-grid-col-md-12 "><div class="mdc-u-grid-col-md-span-12"><header data-component="mdc-c-header" class="mdc-c-header"><div class="mdc-c-header__block___i1Lg-_8032924"><h3 data-component="mdc-c-heading" class="mdc-c-heading___0fM1W_8032924"><div>Would you like to learn more about our <a href="/capabilities/risk-and-resilience/how-we-help-clients">Risk Practice</a>?</div></h3></div></header><div data-component="mdc-c-link-container" class="mdc-c-link-container___xefGu_8032924 mdc-c-link-container--display-column___X0HDD_8032924 mck-c-disruptor1up__content Disruptor1Up_mck-c-disruptor1up__content--links__VV4lE mdc-u-grid-gutter-md"><a data-component="mdc-c-link" href="/capabilities/risk-and-resilience/how-we-help-clients/risk-and-regulation" class="mdc-c-link-cta___NBQVi_8032924"><span class="mdc-c-link__label___Pfqtd_8032924">Visit our Risk & Regulation page</span><span data-component="mdc-c-icon" class="mdc-c-icon___oi7ef_8032924 mck-link-arrow-right-icon"></span></a></div></div></div></div> <p><strong>Kayvaun Rowshankish:</strong> There’s a fair bit of noise around this issue as to whether the US should adopt consistent standards and just implement them across the US or if the needs of the US market are sufficiently different that they come up with something different. I think the same is probably true of other regions.</p> <p>We do expect that there will be other regulations emerging covering regions that GDPR doesn’t cover today that aims to address similar issues. If you look at history and regulations, things that came out of Europe first, the US chose to do something different.</p> <p>If the same thing happens here, it’s going to cause all kinds of problems. Because the systems that global institutions use for managing data of European individuals are the same systems they use for managing US individuals’ information. If you have to start applying different standards and controls to those systems and processes, it’s just going to cause a lot of fragmentation and redundancy and inefficiency, potentially leakage, and distraction of mind share because you’ve got too many different standards to deal with trying to address the same thing.</p> <p>I do think that it would be ideal if there was some consistency and this became somewhat of a default that others tried to embrace and stretch out to other regions. But, as I say, if the past is anything to go by, it does give me pause that that would happen.</p> <p><strong>Simon London:</strong> One of the things that I read about GDPR is that it is principles based [exhibit]. Looking at a couple of principles laid out, these are pretty broad. I wonder, could you just give us a couple of examples of what it really requires of companies?</p> <p><strong>Alexis Trittipo:</strong> As you think about a principles-based regulation like GDPR, it leaves a lot open to interpretation. The principles are quite high-level. Each individual company will have to figure out how they’re interpreting that, what the scope is, and what that means for them. And we’ll see over time as regulators react to that.</p> <p>One is around storage limitation. This is a principle that says basically, “Don’t keep data longer than you need it for an active reason that you’ve told the data subject.” And when I say “data subject,” it could be a customer, an employee, it’s a person like you or me.</p> <p>This is contrary to the ways companies manage data today. Typically, I think, “Oh, I want to collect the data. I’m going to keep it for as long as I want. I’m going to use it in a bunch of different analyses.” I don’t think about, unless there’s a regulatory reason, deleting that data. I just keep it in my central data warehouse, or, more likely, in various warehouses.</p> <div data-component="mdc-c-module-wrapper" data-module-theme="default" data-module-background="transparent" data-module-category="" class="mck-c-inline-module-container mck-o-md-center"><div class="mck-c-content-header"><div class="ContentHeader_mck-c-content-header__eyebrow__cBTe_"></div></div><div class="mck-u-inline-module-border-bottom"><picture data-component="mdc-c-picture" class="Exhibit_mck-c-exhibit__image__pyIDm"><source media="(min-width: 768px)" srcSet="/~/media/mckinsey/business%20functions/risk/our%20insights/data%20privacy%20what%20every%20manager%20needs%20to%20know/svgz_tackling_gdpr_ex1.svgz?cq=50&amp;cpy=Center"/><img alt="The General Data Protection Regulation sets out guiding principles for data protection." src="/~/media/mckinsey/business%20functions/risk/our%20insights/data%20privacy%20what%20every%20manager%20needs%20to%20know/svgz_tackling_gdpr_ex1.svgz?cq=50&amp;cpy=Center" loading="lazy"/></picture></div><div class="mck-u-sr-only"></div></div> <p>Companies are really going to have to keep track of how long they’ve had data and actively go about a process of data deletion. One of the things that’s very challenging is how do I reconcile where I have to keep something for a legal reason, or for a tax reason, or a compliance reason, and where I need to delete it for this principle of limiting the length of time of data storage. That’s something that companies are going to have to grapple with.</p> <p>Another example is limitation around the purpose. The regulation requires you to tell the data subject why you’re collecting the data. And it has to be collected for a specified, legitimate purpose. Then once you’ve used it for that legitimate purpose, you can’t really use it for anything else, according to the regulation. So if I’ve said, “Hey, I’m collecting this information so I can open a bank account for you,” for example, I can’t then use that information to do marketing or other things. As companies think about this, the types of disclosures they have to make to data subjects will become important so that they can use the data for business purposes that they’ll need it for.</p> <p><strong>Kayvaun Rowshankish:</strong> The other thing that I think most institutions are grappling with is just defining scope. Just simply the starting point of, “OK, who are covered individuals? And how do I define what is PII related to those individuals?”</p> <p>So, sure, customers are covered. Employees are covered. But as you get into sort of visitors to buildings where you have to enter some information to get access to the building, they may be leaving PII behind. You have noncustomers that are making inquiries. At what point do they actually become your responsibility to protect information that they’re entering in your website, for example?</p> <p>And what is PII? There’s obviously name, address, social security number. But as you get into things like IP address or clickstream information, it’s not clear that that would be covered necessarily, and it would be extremely hard to put the types of controls around this stuff that the regulation’s asking for.</p> <p><strong>Simon London:</strong> Although GDPR is a very principles-based, there are some very specific rights, aren’t there? If you’re an EU resident, you get granted some very specific rights under GDPR. Can you just talk a little bit about those?</p> <div data-component="mdc-c-module-wrapper" data-module-theme="default" data-module-background="transparent" data-module-category="" class="mck-c-disruptor1up mck-o-md-center mck-u-inline-module-border-top mck-u-inline-module-border-bottom mck-u-screen-only" data-layer-region="disruptor-1up"><div class="mdc-u-grid mdc-u-grid-gutter-md mdc-u-grid-col-lg-12 mdc-u-grid-col-md-12 "><div class="mdc-u-grid-col-md-span-12"><header data-component="mdc-c-header" class="mdc-c-header"><div class="mdc-c-header__block___i1Lg-_8032924"><h3 data-component="mdc-c-heading" class="mdc-c-heading___0fM1W_8032924"><div>Want to subscribe to <em>The McKinsey Podcast</em>?</div></h3></div></header><div data-component="mdc-c-link-container" class="mdc-c-link-container___xefGu_8032924 mdc-c-link-container--display-column___X0HDD_8032924 mck-c-disruptor1up__content Disruptor1Up_mck-c-disruptor1up__content--links__VV4lE mdc-u-grid-gutter-md"><a data-component="mdc-c-link" href="https://itunes.apple.com/us/podcast/the-mckinsey-podcast/id285260960?mt=2" class="mdc-c-button___U4iY2_8032924 mdc-c-button--primary___Ed-lT_8032924 mdc-c-button--size-large___jwpUy_8032924" target="_blank"><span class="mdc-c-link__label___Pfqtd_8032924">Apple Podcasts</span></a><a data-component="mdc-c-link" href="https://open.spotify.com/show/4dyjRTP9xzEUPgleo6XjXI" class="mdc-c-button___U4iY2_8032924 mdc-c-button--primary___Ed-lT_8032924 mdc-c-button--size-large___jwpUy_8032924" target="_blank"><span class="mdc-c-link__label___Pfqtd_8032924">Spotify</span></a><a data-component="mdc-c-link" href="https://www.youtube.com/@McKinsey/podcasts" class="mdc-c-button___U4iY2_8032924 mdc-c-button--primary___Ed-lT_8032924 mdc-c-button--size-large___jwpUy_8032924" target="_blank"><span class="mdc-c-link__label___Pfqtd_8032924">YouTube</span></a><a data-component="mdc-c-link" href="/featured-insights/mckinsey-podcast" class="mdc-c-link-cta___NBQVi_8032924"><span class="mdc-c-link__label___Pfqtd_8032924">Listen to previous episodes</span><span data-component="mdc-c-icon" class="mdc-c-icon___oi7ef_8032924 mck-link-arrow-right-icon"></span></a></div></div></div></div> <p><strong>Alexis Trittipo:</strong> That’s right. And, again, when we think about the purpose of this regulation, a lot of it is to give folks more control over their personal data. And so those rights are things like the right to access. An EU resident would have the right to call up a company and say, “I want to see all of the personal data you have on me.”</p> <p>Another one is, the right to erasure, also called the right to be forgotten, which I can call up a company and say, “I want you to delete all the personal data you have on me.” There’s things like the right to portability. I can ask for my data to be transmitted to someone else.</p> <p>There’s the right to not be processed in a fully automated fashion, which says, “I want a person involved in the decision making on me. I don’t want to have decisions made on me based on analytics or based on machines or based on robots.”</p> <p>All of those rights are very core to GDPR. As companies think through how to comply, being able to ensure that they can meet each of these data-subject rights, within the allotted time frame, which for many of them is 30 days to get back to the data subject, will be quite important.</p> <p><strong>Kayvaun Rowshankish:</strong> The other approach which is likely is that they will just determine some cost benefit of even having that person as a customer. And for many of those that say, “No, I don’t agree to you automating decisions around me. I don’t agree to you storing this type of information about me,” then many institutions will just say, “Fine. I’m sorry, I can’t have you as a customer.”</p> <div data-module-category="" class="PullQuote_mck-c-pullquote__DbaQ5 mck-o-lg-center"><blockquote data-component="mdc-c-blockquote" class="PullQuote_mck-c-blockquote__6n21p mdc-c-blockquote mdc-c-blockquote--is-quotes___TozKo_8032924"><p>In order to get GDPR right, in order to get privacy right, you need the entire organization to be moving in the same direction.</p></blockquote></div> <p><strong>Simon London:</strong> You mentioned the requirement [for certain companies] to appoint a chief data-protection officer as part of the new regulation. What is work the data-protection officers do? It sounds like quite a pivotal role in actually coming to answer a lot of these open questions.</p> <p><strong>Alexis Trittipo:</strong> The data-protection officer, or DPO, is the hub of the wheel when it comes to <a href="/capabilities/risk-and-resilience/our-insights/tackling-gdpr-compliance-before-time-runs-out">GDPR compliance</a>, and they should be very much central when it comes to data privacy overall to help facilitate when data subjects come and say, “I want to exercise one of my rights.” To help facilitate when there’s a data breach and making sure that there’s the right notifications to regulators. To really ensure that there’s consistency of data standards in the policies and the procedures. This person is the accountable party for GDPR.</p> <p><strong>Kayvaun Rowshankish:</strong> What’s quite interesting about this role and has become quite a thorny issue is that the DPO is responsible to the agencies and the authorities, not to the institution that they’re employed by. Plus, there’s language in the regulations that say that they need to have very senior reporting lines, whether to the CEO or the board.</p> <p>What it actually means, and I think what most are interpreting it to mean, is that they need access too. And to Alexis’s point, they are accountable. But in very legal terms. If there is a breach and there is a penalty and someone’s going to get in trouble, it’s the DPO typically that is most legally accountable first and foremost.</p> <p>So it has created a lot of problems in the industry around figuring out where to put this individual in the organization, what responsibilities to appoint to them, where geographically they should sit, especially for non-European institutions that have a global presence. Should they be in the US? Or would it be more relevant for them to sit in a European legal entity, which might actually put them further away from the board? There’s all these kinds of complications.</p> <p><strong>Alexis Trittipo:</strong> We see it in different levels of the organization. Sometimes it’s tucked under a CISO, a chief information security officer. Sometimes this person on peer with the C-suite, or C-minus one.</p> <p>As companies think about it, they’ve taken different paths. And, again, this is one of those things where, over time, we’ll see what works better and what doesn’t. And I think we’ll see some shifts to a more standardized way of people treating DPOs similarly.</p> <p>The other thing that’s important to think through is it’s not just the DPO, the individual themselves, that drives this. In order to get GDPR right, in order to get privacy right, you need the entire organization to be moving in the same direction.</p> <p>It’s the DPO and the privacy team, but it’s also legal, it’s also your entire data organization. Those individuals, and having the right team, that’s a collaborative team across the organization, to deal with this is the most important. It can’t be one individual alone.</p> <div data-module-category="" class="PullQuote_mck-c-pullquote__DbaQ5 mck-o-lg-center"><blockquote data-component="mdc-c-blockquote" class="PullQuote_mck-c-blockquote__6n21p mdc-c-blockquote mdc-c-blockquote--is-quotes___TozKo_8032924"><p>We’re seeing all kinds of capabilities of AI that can help here, whether it’s, for example, around identifying PII and preparing it and cleansing it through an entity resolution.</p></blockquote></div> <p><strong>Simon London:</strong> This comes at a time when institutions of all stripes are pushing very hard to collect and process data, to take advantage of machine learning, artificial-intelligence [AI] technologies. There’s a lot of activity going on just to be sort of running in the opposite direction, certainly to GDPR. It feels like quite bad news for companies and their efforts to really take advantage of data and find competitive advantage within data.</p> <p><strong>Kayvaun Rowshankish:</strong> That’s absolutely right, certainly as we talk to data-science communities that have enjoyed the pleasure of pulling in mounds of data into big data environments to just explore. You’re seeing them being particularly nervous about the constraints that are likely to impact their, let’s say, creativity. They’re going to have to put more control around the AI models that they’re developing.</p> <div data-component="mdc-c-module-wrapper" data-module-theme="default" data-module-background="transparent" data-module-category="" class="mck-c-disruptor1up mck-o-md-center mck-u-inline-module-border-top mck-u-inline-module-border-bottom mck-u-screen-only" data-layer-region="disruptor-1up"><div class="mdc-u-grid mdc-u-grid-gutter-md mdc-u-grid-col-lg-12 mdc-u-grid-col-md-12 "><div class="mdc-u-grid-col-lg-span-4 mdc-u-grid-col-md-span-5 Disruptor1Up_mck-c-disruptor1up__image___2Gc4"><picture data-component="mdc-c-picture"><img alt="the Shortlist" src="/~/media/mckinsey/email/shortlist/template/shortlist_promo-interrupter-849120982_1536x1536.jpg?cq=50&amp;mh=145&amp;car=16:9&amp;cpy=Center" loading="lazy"/></picture></div><div class="mdc-u-grid-col-lg-span-8 mdc-u-grid-col-md-span-7"><header data-component="mdc-c-header" class="mdc-c-header"><div class="mdc-c-header__block___i1Lg-_8032924"><h3 data-component="mdc-c-heading" class="mdc-c-heading___0fM1W_8032924"><div>Subscribe to the Shortlist</div></h3><div data-component="mdc-c-description" class="mdc-c-description___SrnQP_8032924 mdc-u-ts-7"><p><div>McKinsey&rsquo;s new weekly newsletter, featuring must-read content on a range of topics, every Friday</div></p></div></div></header><div data-component="mdc-c-link-container" class="mdc-c-link-container___xefGu_8032924 mdc-c-link-container--display-column___X0HDD_8032924 mck-c-disruptor1up__content Disruptor1Up_mck-c-disruptor1up__content--links__VV4lE mdc-u-grid-gutter-md"><a data-component="mdc-c-link" href="/user-registration/manage-account/edit-subscriptions" class="mdc-c-link-cta___NBQVi_8032924"><span class="mdc-c-link__label___Pfqtd_8032924">Get the Shortlist in your inbox</span><span data-component="mdc-c-icon" class="mdc-c-icon___oi7ef_8032924 mck-link-arrow-right-icon"></span></a></div></div></div></div> <p><strong>Alexis Trittipo:</strong> The easiest way to get around GDPR, if you still want to use the data, is anonymize and mask. If data is masked and anonymized, you can use that. You can use that and not have to have the purpose told to the data subject ahead of time.</p> <p>Thinking about, “Where do I actually need to know who the individual is?” versus “Where do I just need to have anonymized data that I can use for my analyses?” That will be key in the shortcut to getting this right.</p> <p><strong>Kayvaun Rowshankish:</strong> Ironically here, if you take the kind of counterview of not how is GDPR blocking AI, you can look at how AI is actually enabling GDPR. There’s plenty of opportunities for the two disciplines to come together in that direction. We’re seeing all kinds of capabilities of AI that can help here, whether it’s, for example, around identifying PII and preparing it and cleansing it through entity resolution and other types of capabilities that come out of AI, through auto cleansing or deletion or masking of PII.</p> <p>The concept there is that you have various different interactions with clients that are now moving from, say, human sales teams or human call centers to being AI-driven interfaces like chat bots or automated call centers where, frankly, you’re not in control of what customers are telling you. You may be capturing PII inadvertently because customers are just sharing, so the other factor that comes into place here is whether you can use AI to detect when they’re sharing PII, and either mask it immediately or delete it, or find some other way of blocking it so that you’re not putting the firm at compliance risk.</p> <p><strong>Simon London:</strong> I just want to push on this point around big data and machine learning. To a layperson, it almost sounds like creating a data lake by combining information about your customers from multiple sources and then running algorithms on that data with the intention of extending different offers to different customers. So Simon would get one type of offer, Alexis would get a different type of offer. It sounds to me like that could be a breach of GDPR.</p> <p><strong>Alexis Trittipo:</strong> I think you go back to the reason you collected data. You have to be explicit about why you’re collecting data. As long as it’s a legitimate business purpose. A legitimate business purpose can be providing the best and most appropriate products to our customers.</p> <p>So if you’ve collected that data with the customer or the client understanding that, then I think that kind of analysis is allowed. Going back to what am I consenting to, as a data subject when you collect my data, and making those disclosures very clear that they’re going to be used for the purposes of understanding and marketing products.</p> <p><strong>Kayvaun Rowshankish:</strong> If you just look at the extent you use a lot of these online applications, so many of them have been putting up these pop-ups as you access the site asking for your consent. I’m sure most people aren’t actually reading much of that; they’re just clicking, “OK.” It’s basically that that you’re consenting to, that you can actually use that information to better tailor the sales process.</p> <div data-module-category="" class="PullQuote_mck-c-pullquote__DbaQ5 mck-o-lg-center"><blockquote data-component="mdc-c-blockquote" class="PullQuote_mck-c-blockquote__6n21p mdc-c-blockquote mdc-c-blockquote--is-quotes___TozKo_8032924"><p>I do think there needs to be a phase two and a phase three where you go into the backups and the paper files and actually fully extract that person.</p></blockquote></div> <p><strong>Simon London:</strong> Which strikes me as being fine for data that’s collected now or recently. The question is, is everything that’s going into your data lake, was it collected under those types of conditions? Or is it historic data where the permissions in place at that time were not compliant with GDPR? You were not as explicit as maybe you could have been or should have been around the potential uses of the data.</p> <p><strong>Kayvaun Rowshankish:</strong> This is an interesting point because these consents that are being asked for, as I was describing, if they’re written correctly, they would cover data that you’ve captured in the past. You may have them in backup, you may be using them for a variety of different purposes. And as you’re asking individuals for consent to use their PII, most institutions are creating that consent statement in pretty broad terms. The issue is, what if they say no? And they actually say, “No, we don’t want you to store PII, we want you to delete everything that you’ve got about us.” I don’t think I’ve met a single institution that has really figured out how to deal with that.</p> <p>They’re dealing with it through drawing false boundaries, let’s say, around, “OK, anything that’s in a live system, we will find a way of deleting that data about them. But if it’s in backup, if it’s on paper, then it’s not as easily discoverable anyway, so we’re not going to tackle that.”</p> <p>It’s not completely clear that that is in compliance with how the regulators are thinking about it. It’s still a bit of an ambiguous space.</p> <p><strong>Alexis Trittipo:</strong> And I think what we’re seeing across industries, is, to your point, Kayvaun, this will have to be a phased process. Most companies say, “In our live systems, yes. We can delete all your information.” I do think there needs to be a phase two and a phase three where you go into the backups and you go into the paper files and actually fully extract that person. It’ll be interesting to see how organizations take that compliance from the more immediate “in my active systems today” across to the paper files from 20 years ago as well.</p> <p><strong>Kayvaun Rowshankish:</strong> And it’s interesting, at the same time, there’s a whole lot of digitization using OCR, optical character recognition, natural language processing, to extract the data that you want from PDFs and physical documents that it won’t be long before you probably shouldn’t be storing paper copies of things anyway.</p> <p>Storage is getting so cheap that even the backups should be fairly accessible that if you wanted to perform against this rights to erasure, then it should be much easier than it is today in the coming years.</p> <p><strong>Simon London:</strong> So I think that’s all we have time for today. Thank you very much to Alexis, and thank you to Kayvaun. And thank you to our audience for listening. To learn more about data privacy, GDPR, risk, and regulation, please visit us at McKinsey.com.</p></div><div class="container-placeholder"></div></div></div><div class="mdc-u-grid mdc-u-grid-gutter-xl"><section role="contentinfo" data-layer-region="article-about-authors" class="mdc-u-grid mdc-u-grid-col-md-12 AboutAuthor_mck-c-about-author__nRJzu"><div class="mdc-u-grid-col-md-start-2 mdc-u-grid-col-md-end-12 mdc-u-grid-col-lg-start-3 mdc-u-grid-col-lg-end-11"><h5 data-component="mdc-c-heading" class="mdc-c-heading___0fM1W_8032924 mdc-c-heading--title___5qyOB_8032924 mdc-c-heading--border___K8dj3_8032924 mdc-u-align-center"></h5><div data-component="mdc-c-description" class="mdc-c-description___SrnQP_8032924 mdc-u-ts-8 mck-u-links-inline mck-u-links-inline--secondary mdc-u-mt-5"><div><p><strong>Kayvaun Rowshankish</strong> is a partner in McKinsey&rsquo;s New York office, where <strong>Alexis Trittipo</strong> is an associate partner; <strong>Simon London</strong> is a member of McKinsey Publishing and is based in the Silicon Valley office.</p></div></div></div></section><section class="mdc-u-grid mdc-u-grid-col-md-12 mck-u-screen-only"><div class="mdc-u-grid-col-md-start-2 mdc-u-grid-col-md-end-12 mdc-u-grid-col-lg-start-5 mdc-u-grid-col-lg-end-9"><h5 data-component="mdc-c-heading" class="mdc-c-heading___0fM1W_8032924 mdc-c-heading--title___5qyOB_8032924 mdc-c-heading--border___K8dj3_8032924 mdc-u-align-center">Explore a career with us</h5><div data-component="mdc-c-link-container" class="mdc-c-link-container___xefGu_8032924 mdc-c-link-container--align-center___ar3mu_8032924"><a data-component="mdc-c-link" href="/careers/search-jobs" class="mdc-c-button___U4iY2_8032924 mdc-c-button--secondary___Boipq_8032924 mdc-c-button--size-large___jwpUy_8032924" aria-label="Search Openings" data-layer-event-prefix="CTA Link" data-layer-action="click" data-layer-category="careers" data-layer-subcategory="search" data-layer-text="Search Openings"><span class="mdc-c-link__label___Pfqtd_8032924">Search Openings</span></a></div></div></section></div></main></div><div data-component="mdc-c-module-wrapper" data-module-theme="light" data-module-background="lightest-grey" data-module-category="StandalonePromo" class="RelatedArticle_mck-c-article-related__GGA76 mck-u-screen-only" data-layer-region="related-articles"><div class="mdc-o-container__wrapper is-wrapped mdc-u-spaced-mobile"><h5 data-component="mdc-c-heading" class="mdc-c-heading___0fM1W_8032924 mdc-c-heading--title___5qyOB_8032924 mdc-u-align-center">Related Articles</h5><div class="mdc-u-grid mdc-u-grid-col-md-3 RelatedArticle_items-container__s2uD0"><div class="mdc-u-grid mdc-u-grid-gutter-lg Card_card__diA2r Card_hover-effect__RGb9b"><div class="Card_wrapper-image__8b4P6"><a data-component="mdc-c-link" href="/capabilities/risk-and-resilience/our-insights/gdpr-compliance-after-may-2018-a-continuing-challenge" class="mdc-c-link___lBbY1_8032924"><picture data-component="mdc-c-picture" class="Card_wrapper-image__8b4P6"><style>.picture-uniqueKey-gdpr-0 { aspect-ratio: 16/9 }</style><img alt="GDPR compliance since May 2018: A continuing challenge" class="picture-uniqueKey-gdpr-0" src="/~/media/mckinsey/business%20functions/risk/our%20insights/gdpr%20compliance%20after%20may%202018%20a%20continuing%20challenge/gdpr%20compliance_1536x1536_300.jpg?cq=50&amp;mw=767&amp;car=16:9&amp;cpy=Center" loading="lazy"/></picture></a></div><div class="Card_wrapper-text__U6Y3k"><div data-component="mdc-c-content-block" class="mdc-c-content-block___7p6Lu_8032924 Card_content-block__pF6Z1"><span>Article</span><h6 data-component="mdc-c-heading" class="mdc-c-heading___0fM1W_8032924 mdc-u-ts-6"><a data-component="mdc-c-link" href="/capabilities/risk-and-resilience/our-insights/gdpr-compliance-after-may-2018-a-continuing-challenge" class="mdc-c-link-heading___Zggl8_8032924 mdc-c-link___lBbY1_8032924"><div>GDPR compliance since May 2018: A continuing challenge</div></a></h6></div></div></div><div class="mdc-u-grid mdc-u-grid-gutter-lg Card_card__diA2r Card_hover-effect__RGb9b"><div class="Card_wrapper-image__8b4P6"><a data-component="mdc-c-link" href="/capabilities/risk-and-resilience/our-insights/the-eu-data-protection-regulation-compliance-burden-or-foundation-for-digitization" class="mdc-c-link___lBbY1_8032924"><picture data-component="mdc-c-picture" class="Card_wrapper-image__8b4P6"><style>.picture-uniqueKey-thee-0 { aspect-ratio: 16/9 }</style><img alt="The_EU_data_protection_regulation_1536x1536_500_Standard" class="picture-uniqueKey-thee-0" src="/~/media/mckinsey/business%20functions/risk/our%20insights/the%20eu%20data%20protection%20regulation%20compliance%20burden%20or%20foundation%20for%20digitization/the_eu_data_protection_regulation_1536x1536_500_standard.jpg?cq=50&amp;mw=767&amp;car=16:9&amp;cpy=Center" loading="lazy"/></picture></a></div><div class="Card_wrapper-text__U6Y3k"><div data-component="mdc-c-content-block" class="mdc-c-content-block___7p6Lu_8032924 Card_content-block__pF6Z1"><span>Article</span><h6 data-component="mdc-c-heading" class="mdc-c-heading___0fM1W_8032924 mdc-u-ts-6"><a data-component="mdc-c-link" href="/capabilities/risk-and-resilience/our-insights/the-eu-data-protection-regulation-compliance-burden-or-foundation-for-digitization" class="mdc-c-link-heading___Zggl8_8032924 mdc-c-link___lBbY1_8032924"><div>The EU data-protection regulation&mdash;compliance burden or foundation for digitization?</div></a></h6></div></div></div><div class="mdc-u-grid mdc-u-grid-gutter-lg Card_card__diA2r Card_hover-effect__RGb9b"><div class="Card_wrapper-image__8b4P6"><a data-component="mdc-c-link" href="/industries/financial-services/our-insights/data-sharing-and-open-banking" class="mdc-c-link___lBbY1_8032924"><picture data-component="mdc-c-picture" class="Card_wrapper-image__8b4P6"><style>.picture-uniqueKey-data-0 { aspect-ratio: 16/9 }</style><img alt="Data-sharing-and-open-banking-1536x1536-300_Standard" class="picture-uniqueKey-data-0" src="/~/media/mckinsey/industries/financial%20services/our%20insights/data%20sharing%20and%20open%20banking/data-sharing-and-open-banking-1536x1536-300_standard.jpg?cq=50&amp;mw=767&amp;car=16:9&amp;cpy=Center" loading="lazy"/></picture></a></div><div class="Card_wrapper-text__U6Y3k"><div data-component="mdc-c-content-block" class="mdc-c-content-block___7p6Lu_8032924 Card_content-block__pF6Z1"><span>Article</span><h6 data-component="mdc-c-heading" class="mdc-c-heading___0fM1W_8032924 mdc-u-ts-6"><a data-component="mdc-c-link" href="/industries/financial-services/our-insights/data-sharing-and-open-banking" class="mdc-c-link-heading___Zggl8_8032924 mdc-c-link___lBbY1_8032924"><div>Data sharing and open banking</div></a></h6></div></div></div></div></div></div></div></main></div><script id="__NEXT_DATA__" type="application/json">{"props":{"pageProps":{"locale":"en","dictionary":{},"sitecoreContext":{"route":{"name":"Data privacy What every manager needs to know","displayName":"Data privacy: What every manager needs to know","fields":null,"databaseName":"web","deviceId":"fe5d7fdf-89c0-4d99-9aa3-b5fbd009c9f3","itemId":"87b03051-0343-469a-bd0b-565cb5be8f3e","itemLanguage":"en","itemVersion":3,"layoutId":"ae753eb4-a035-40b4-83bf-4b4438df6742","templateId":"683910db-02ba-40ba-92e7-726c880160a9","templateName":"ArticleJSS","placeholders":{"jss-main":[{"uid":"232bb7e9-289f-492d-a916-2b6185e44a84","componentName":"ArticleTemplate","dataSource":"","fields":{"data":{"articleTemplate":{"title":{"jsonValue":{"value":"Data privacy: What every manager needs to know"}},"sEOTitle":{"value":"How GDPR is transforming data-protection strategies in business"},"description":{"jsonValue":{"value":"As companies begin to follow the principles of GDPR, the European Union directive on data protection, they must better understand what personal information really is and how to properly manage it."}},"sEODescription":{"value":"As companies begin to follow the principles of GDPR, the EU directive on data protection, they must better understand what personal information really is and how to manage it properly."},"displayDate":{"jsonValue":{"value":"2018-07-31T00:00:00Z"}},"body":{"value":"[[DownloadsSidebar]]\n\u003cp\u003e\u003cstrong\u003eIn this episode\u003c/strong\u003e of the \u003cem\u003eMcKinsey Podcast\u003c/em\u003e, McKinsey partner Kayvaun Rowshankish and associate partner Alexis Trittipo speak with Simon London about the European Union\u0026rsquo;s newly implemented General Data Protection Regulation (GDPR), what it means, who it affects, and how companies can better manage personal data.\u003c/p\u003e\n[[Audio 1]]\n\u003ch4\u003ePodcast transcript\u003c/h4\u003e\n\u003cp\u003eHello, and welcome to this edition of the \u003cem\u003eMcKinsey Podcast\u003c/em\u003e, with me, Simon London. Whatever business you\u0026rsquo;re in, like it or not, you\u0026rsquo;re in the data-privacy business. The data you collect on customers, employees, prospects, even visitors to your buildings or your websites is increasingly subject to rules and regulations. The new European data-protection directive, GDPR, is part of the story but it\u0026rsquo;s not the whole story by any means. Joining me today to discuss the issues are two McKinsey consultants who spend their time working with clients on exactly these issues related to data, analytics, technology, privacy, and risk. They are Kayvaun Rowshankish, who is a partner based in New York, and Alexis Trittipo, an associate partner, also based in New York. Kayvaun and Alexis, thanks very much for joining.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eAlexis Trittipo:\u003c/strong\u003e Absolutely. Excited to join you.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eKayvaun Rowshankish:\u003c/strong\u003e Pleasure to be here.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eSimon London:\u003c/strong\u003e Data privacy: It feels like it\u0026rsquo;s becoming a general management topic. Data in general, but data privacy as part of that. This definitely feels like something that, if you are a general manager, certainly in marketing, in sales and technology, but probably a whole bunch of other areas too, you have to know about this.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eAlexis Trittipo:\u003c/strong\u003e As we look at organizations, across industries, personal data is managed at all levels of the organization. It\u0026rsquo;s not just a problem for the chief data officer or the chief information security office anymore.\u003c/p\u003e\n\u003cp\u003eThis is a problem for HR. It\u0026rsquo;s a problem for your customer-service representatives. It really spans the organization in terms of who touches personal data and who will need to, quite honestly, understand the regulations that are coming around.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eKayvaun Rowshankish:\u003c/strong\u003e Every institution is heading in a direction where they are data-centric institutions. If you just take Amazon as an example. Sure, they stick physical products in the mail. But 90 percent of running their business is around data and data of individuals and data that represent the products that they manage. That\u0026rsquo;s true of most sectors now. The other thing that\u0026rsquo;s raising this to the management level is the fact that the scope of PII [personally identifiable information] is quite ambiguous. We might have thought of it previously as just a customer\u0026rsquo;s name, maybe their social security number, other information about their whereabouts.\u003c/p\u003e\n\u003cp\u003eBut now, because there\u0026rsquo;s so much sort of behavioral data that\u0026rsquo;s being captured, there are transactions and so on that are being captured, and multiple ways using advanced analytics to derive that information, it\u0026rsquo;s just become a much more complex and opaque space.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eSimon London:\u003c/strong\u003e One of the big talking points at the moment is that the European data-protection regulation, GDPR, went into effect at the end of May. I suspect that a lot of managers are only now getting to grips with the operational implications of that. There are probably a lot of institutions, frankly, still scrambling to get compliant. So, Kayvaun, could you give us a quick overview of the contours of GDPR?\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eKayvaun Rowshankish:\u003c/strong\u003e In simple terms, \u003ca href=\"/capabilities/risk-and-resilience/our-insights/gdpr-compliance-after-may-2018-a-continuing-challenge\"\u003ethe directive aims to protect individuals\u003c/a\u003e. And by \u0026ldquo;individuals,\u0026rdquo; the focus is European individuals. But that doesn\u0026rsquo;t mean the institutions out of Europe are exempt from this. European individuals travel, they have relationships with institutions outside of Europe, and there are third-party relationships with institutions that handle European individuals\u0026rsquo; data that then bring the next layer of institutions into scope as well. There\u0026rsquo;s a pretty broad set of firms that are affected.\u003c/p\u003e\n\u003cp\u003eWhat the directive aims to do, again, in fairly simple terms, is it forces these institutions to put structure and discipline around what PII, personally identifiable information, actually is, where it is, put more choice in the hands of the individuals who the PII relates to, so that they can decide if they even want you to have it, or how to manage it (see sidebar, \u0026ldquo;The GDPR: Key facts\u0026rdquo;).\u003c/p\u003e\n[[Sidebar 1]]\n\u003cp\u003eIt forces those institutions to minimize how much of that data they actually store [and process], puts controls around the PII that they store and process, and then enforces a set of governance and processes around that data, which includes accountability models like putting a privacy officer in place as well as a set of processes to interact with regulators and individuals either in terms of managing their rights or responding to breaches and other types of events in this space.\u003c/p\u003e\n\u003cp\u003eThen lastly, the other thing that this regulation does is it puts in place some fairly severe penalties if you get it wrong. Quite explicitly, there\u0026rsquo;s a penalty of up to 4 percent of global revenues, so you can be fined anything up to 4 percent of global revenues if you get this wrong. But it also puts in place, because this is going to become a legal requirement, the opportunity for individuals to take civil action against those institutions if they get it wrong.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eAlexis Trittipo:\u003c/strong\u003e \u003ca href=\"/capabilities/risk-and-resilience/our-insights/the-eu-data-protection-regulation-compliance-burden-or-foundation-for-digitization\"\u003eGDPR is the first large-scale regulation\u003c/a\u003e of this size that\u0026rsquo;s really aimed at protecting individual rights around personal data. The control that it aims to give individuals over their data in things like, I can have it deleted, I can ask to see what a company has on me, at this scale, is unprecedented. It\u0026rsquo;s a very interesting test case to see how corporations will react. We\u0026rsquo;ll see over time, both how this plays out in Europe, but also how this plays out globally.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eSimon London:\u003c/strong\u003e Is it right to say that even though GDPR is from Europe, certainly for any large global organization, it becomes the de facto global standard?\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eAlexis Trittipo:\u003c/strong\u003e It\u0026rsquo;s hard to say global standard because what we\u0026rsquo;re seeing right now as folks are looking to implement it is they\u0026rsquo;re largely implementing it for their European-based operations and where they touch EU-based customers and clients.\u003c/p\u003e\n\u003cp\u003eBut most organizations are thinking about, \u0026ldquo;If I have to have this level of controls, this level of protection, this level of processes around personal data for Europe, how do I think about that more broadly? And how do I expand that?\u0026rdquo; And I don\u0026rsquo;t think organizations are there yet. But as we think about it, this will be, globally, the highest standard around controlling and keeping personal data safe.\u003c/p\u003e\n[[Disruptor1Up 1]]\n\u003cp\u003e\u003cstrong\u003eKayvaun Rowshankish:\u003c/strong\u003e There\u0026rsquo;s a fair bit of noise around this issue as to whether the US should adopt consistent standards and just implement them across the US or if the needs of the US market are sufficiently different that they come up with something different. I think the same is probably true of other regions.\u003c/p\u003e\n\u003cp\u003eWe do expect that there will be other regulations emerging covering regions that GDPR doesn\u0026rsquo;t cover today that aims to address similar issues. If you look at history and regulations, things that came out of Europe first, the US chose to do something different.\u003c/p\u003e\n\u003cp\u003eIf the same thing happens here, it\u0026rsquo;s going to cause all kinds of problems. Because the systems that global institutions use for managing data of European individuals are the same systems they use for managing US individuals\u0026rsquo; information. If you have to start applying different standards and controls to those systems and processes, it\u0026rsquo;s just going to cause a lot of fragmentation and redundancy and inefficiency, potentially leakage, and distraction of mind share because you\u0026rsquo;ve got too many different standards to deal with trying to address the same thing.\u003c/p\u003e\n\u003cp\u003eI do think that it would be ideal if there was some consistency and this became somewhat of a default that others tried to embrace and stretch out to other regions. But, as I say, if the past is anything to go by, it does give me pause that that would happen.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eSimon London:\u003c/strong\u003e One of the things that I read about GDPR is that it is principles based [exhibit]. Looking at a couple of principles laid out, these are pretty broad. I wonder, could you just give us a couple of examples of what it really requires of companies?\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eAlexis Trittipo:\u003c/strong\u003e As you think about a principles-based regulation like GDPR, it leaves a lot open to interpretation. The principles are quite high-level. Each individual company will have to figure out how they\u0026rsquo;re interpreting that, what the scope is, and what that means for them. And we\u0026rsquo;ll see over time as regulators react to that.\u003c/p\u003e\n\u003cp\u003eOne is around storage limitation. This is a principle that says basically, \u0026ldquo;Don\u0026rsquo;t keep data longer than you need it for an active reason that you\u0026rsquo;ve told the data subject.\u0026rdquo; And when I say \u0026ldquo;data subject,\u0026rdquo; it could be a customer, an employee, it\u0026rsquo;s a person like you or me.\u003c/p\u003e\n\u003cp\u003eThis is contrary to the ways companies manage data today. Typically, I think, \u0026ldquo;Oh, I want to collect the data. I\u0026rsquo;m going to keep it for as long as I want. I\u0026rsquo;m going to use it in a bunch of different analyses.\u0026rdquo; I don\u0026rsquo;t think about, unless there\u0026rsquo;s a regulatory reason, deleting that data. I just keep it in my central data warehouse, or, more likely, in various warehouses.\u003c/p\u003e\n[[Exhibit 1]]\n\u003cp\u003eCompanies are really going to have to keep track of how long they\u0026rsquo;ve had data and actively go about a process of data deletion. One of the things that\u0026rsquo;s very challenging is how do I reconcile where I have to keep something for a legal reason, or for a tax reason, or a compliance reason, and where I need to delete it for this principle of limiting the length of time of data storage. That\u0026rsquo;s something that companies are going to have to grapple with.\u003c/p\u003e\n\u003cp\u003eAnother example is limitation around the purpose. The regulation requires you to tell the data subject why you\u0026rsquo;re collecting the data. And it has to be collected for a specified, legitimate purpose. Then once you\u0026rsquo;ve used it for that legitimate purpose, you can\u0026rsquo;t really use it for anything else, according to the regulation. So if I\u0026rsquo;ve said, \u0026ldquo;Hey, I\u0026rsquo;m collecting this information so I can open a bank account for you,\u0026rdquo; for example, I can\u0026rsquo;t then use that information to do marketing or other things. As companies think about this, the types of disclosures they have to make to data subjects will become important so that they can use the data for business purposes that they\u0026rsquo;ll need it for.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eKayvaun Rowshankish:\u003c/strong\u003e The other thing that I think most institutions are grappling with is just defining scope. Just simply the starting point of, \u0026ldquo;OK, who are covered individuals? And how do I define what is PII related to those individuals?\u0026rdquo;\u003c/p\u003e\n\u003cp\u003eSo, sure, customers are covered. Employees are covered. But as you get into sort of visitors to buildings where you have to enter some information to get access to the building, they may be leaving PII behind. You have noncustomers that are making inquiries. At what point do they actually become your responsibility to protect information that they\u0026rsquo;re entering in your website, for example?\u003c/p\u003e\n\u003cp\u003eAnd what is PII? There\u0026rsquo;s obviously name, address, social security number. But as you get into things like IP address or clickstream information, it\u0026rsquo;s not clear that that would be covered necessarily, and it would be extremely hard to put the types of controls around this stuff that the regulation\u0026rsquo;s asking for.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eSimon London:\u003c/strong\u003e Although GDPR is a very principles-based, there are some very specific rights, aren\u0026rsquo;t there? If you\u0026rsquo;re an EU resident, you get granted some very specific rights under GDPR. Can you just talk a little bit about those?\u003c/p\u003e\n[[Disruptor1Up globalpodcast]]\n\u003cp\u003e\u003cstrong\u003eAlexis Trittipo:\u003c/strong\u003e That\u0026rsquo;s right. And, again, when we think about the purpose of this regulation, a lot of it is to give folks more control over their personal data. And so those rights are things like the right to access. An EU resident would have the right to call up a company and say, \u0026ldquo;I want to see all of the personal data you have on me.\u0026rdquo;\u003c/p\u003e\n\u003cp\u003eAnother one is, the right to erasure, also called the right to be forgotten, which I can call up a company and say, \u0026ldquo;I want you to delete all the personal data you have on me.\u0026rdquo; There\u0026rsquo;s things like the right to portability. I can ask for my data to be transmitted to someone else.\u003c/p\u003e\n\u003cp\u003eThere\u0026rsquo;s the right to not be processed in a fully automated fashion, which says, \u0026ldquo;I want a person involved in the decision making on me. I don\u0026rsquo;t want to have decisions made on me based on analytics or based on machines or based on robots.\u0026rdquo;\u003c/p\u003e\n\u003cp\u003eAll of those rights are very core to GDPR. As companies think through how to comply, being able to ensure that they can meet each of these data-subject rights, within the allotted time frame, which for many of them is 30 days to get back to the data subject, will be quite important.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eKayvaun Rowshankish:\u003c/strong\u003e The other approach which is likely is that they will just determine some cost benefit of even having that person as a customer. And for many of those that say, \u0026ldquo;No, I don\u0026rsquo;t agree to you automating decisions around me. I don\u0026rsquo;t agree to you storing this type of information about me,\u0026rdquo; then many institutions will just say, \u0026ldquo;Fine. I\u0026rsquo;m sorry, I can\u0026rsquo;t have you as a customer.\u0026rdquo;\u003c/p\u003e\n[[PullQuote 1]]\n\u003cp\u003e\u003cstrong\u003eSimon London:\u003c/strong\u003e You mentioned the requirement [for certain companies] to appoint a chief data-protection officer as part of the new regulation. What is work the data-protection officers do? It sounds like quite a pivotal role in actually coming to answer a lot of these open questions.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eAlexis Trittipo:\u003c/strong\u003e The data-protection officer, or DPO, is the hub of the wheel when it comes to \u003ca href=\"/capabilities/risk-and-resilience/our-insights/tackling-gdpr-compliance-before-time-runs-out\"\u003eGDPR compliance\u003c/a\u003e, and they should be very much central when it comes to data privacy overall to help facilitate when data subjects come and say, \u0026ldquo;I want to exercise one of my rights.\u0026rdquo; To help facilitate when there\u0026rsquo;s a data breach and making sure that there\u0026rsquo;s the right notifications to regulators. To really ensure that there\u0026rsquo;s consistency of data standards in the policies and the procedures. This person is the accountable party for GDPR.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eKayvaun Rowshankish:\u003c/strong\u003e What\u0026rsquo;s quite interesting about this role and has become quite a thorny issue is that the DPO is responsible to the agencies and the authorities, not to the institution that they\u0026rsquo;re employed by. Plus, there\u0026rsquo;s language in the regulations that say that they need to have very senior reporting lines, whether to the CEO or the board.\u003c/p\u003e\n\u003cp\u003eWhat it actually means, and I think what most are interpreting it to mean, is that they need access too. And to Alexis\u0026rsquo;s point, they are accountable. But in very legal terms. If there is a breach and there is a penalty and someone\u0026rsquo;s going to get in trouble, it\u0026rsquo;s the DPO typically that is most legally accountable first and foremost.\u003c/p\u003e\n\u003cp\u003eSo it has created a lot of problems in the industry around figuring out where to put this individual in the organization, what responsibilities to appoint to them, where geographically they should sit, especially for non-European institutions that have a global presence. Should they be in the US? Or would it be more relevant for them to sit in a European legal entity, which might actually put them further away from the board? There\u0026rsquo;s all these kinds of complications.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eAlexis Trittipo:\u003c/strong\u003e We see it in different levels of the organization. Sometimes it\u0026rsquo;s tucked under a CISO, a chief information security officer. Sometimes this person on peer with the C-suite, or C-minus one.\u003c/p\u003e\n\u003cp\u003eAs companies think about it, they\u0026rsquo;ve taken different paths. And, again, this is one of those things where, over time, we\u0026rsquo;ll see what works better and what doesn\u0026rsquo;t. And I think we\u0026rsquo;ll see some shifts to a more standardized way of people treating DPOs similarly.\u003c/p\u003e\n\u003cp\u003eThe other thing that\u0026rsquo;s important to think through is it\u0026rsquo;s not just the DPO, the individual themselves, that drives this. In order to get GDPR right, in order to get privacy right, you need the entire organization to be moving in the same direction.\u003c/p\u003e\n\u003cp\u003eIt\u0026rsquo;s the DPO and the privacy team, but it\u0026rsquo;s also legal, it\u0026rsquo;s also your entire data organization. Those individuals, and having the right team, that\u0026rsquo;s a collaborative team across the organization, to deal with this is the most important. It can\u0026rsquo;t be one individual alone.\u003c/p\u003e\n[[PullQuote 2]]\n\u003cp\u003e\u003cstrong\u003eSimon London:\u003c/strong\u003e This comes at a time when institutions of all stripes are pushing very hard to collect and process data, to take advantage of machine learning, artificial-intelligence [AI] technologies. There\u0026rsquo;s a lot of activity going on just to be sort of running in the opposite direction, certainly to GDPR. It feels like quite bad news for companies and their efforts to really take advantage of data and find competitive advantage within data.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eKayvaun Rowshankish:\u003c/strong\u003e That\u0026rsquo;s absolutely right, certainly as we talk to data-science communities that have enjoyed the pleasure of pulling in mounds of data into big data environments to just explore. You\u0026rsquo;re seeing them being particularly nervous about the constraints that are likely to impact their, let\u0026rsquo;s say, creativity. They\u0026rsquo;re going to have to put more control around the AI models that they\u0026rsquo;re developing.\u003c/p\u003e\n[[Disruptor1Up shortlist]]\n\u003cp\u003e\u003cstrong\u003eAlexis Trittipo:\u003c/strong\u003e The easiest way to get around GDPR, if you still want to use the data, is anonymize and mask. If data is masked and anonymized, you can use that. You can use that and not have to have the purpose told to the data subject ahead of time.\u003c/p\u003e\n\u003cp\u003eThinking about, \u0026ldquo;Where do I actually need to know who the individual is?\u0026rdquo; versus \u0026ldquo;Where do I just need to have anonymized data that I can use for my analyses?\u0026rdquo; That will be key in the shortcut to getting this right.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eKayvaun Rowshankish:\u003c/strong\u003e Ironically here, if you take the kind of counterview of not how is GDPR blocking AI, you can look at how AI is actually enabling GDPR. There\u0026rsquo;s plenty of opportunities for the two disciplines to come together in that direction. We\u0026rsquo;re seeing all kinds of capabilities of AI that can help here, whether it\u0026rsquo;s, for example, around identifying PII and preparing it and cleansing it through entity resolution and other types of capabilities that come out of AI, through auto cleansing or deletion or masking of PII.\u003c/p\u003e\n\u003cp\u003eThe concept there is that you have various different interactions with clients that are now moving from, say, human sales teams or human call centers to being AI-driven interfaces like chat bots or automated call centers where, frankly, you\u0026rsquo;re not in control of what customers are telling you. You may be capturing PII inadvertently because customers are just sharing, so the other factor that comes into place here is whether you can use AI to detect when they\u0026rsquo;re sharing PII, and either mask it immediately or delete it, or find some other way of blocking it so that you\u0026rsquo;re not putting the firm at compliance risk.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eSimon London:\u003c/strong\u003e I just want to push on this point around big data and machine learning. To a layperson, it almost sounds like creating a data lake by combining information about your customers from multiple sources and then running algorithms on that data with the intention of extending different offers to different customers. So Simon would get one type of offer, Alexis would get a different type of offer. It sounds to me like that could be a breach of GDPR.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eAlexis Trittipo:\u003c/strong\u003e I think you go back to the reason you collected data. You have to be explicit about why you\u0026rsquo;re collecting data. As long as it\u0026rsquo;s a legitimate business purpose. A legitimate business purpose can be providing the best and most appropriate products to our customers.\u003c/p\u003e\n\u003cp\u003eSo if you\u0026rsquo;ve collected that data with the customer or the client understanding that, then I think that kind of analysis is allowed. Going back to what am I consenting to, as a data subject when you collect my data, and making those disclosures very clear that they\u0026rsquo;re going to be used for the purposes of understanding and marketing products.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eKayvaun Rowshankish:\u003c/strong\u003e If you just look at the extent you use a lot of these online applications, so many of them have been putting up these pop-ups as you access the site asking for your consent. I\u0026rsquo;m sure most people aren\u0026rsquo;t actually reading much of that; they\u0026rsquo;re just clicking, \u0026ldquo;OK.\u0026rdquo; It\u0026rsquo;s basically that that you\u0026rsquo;re consenting to, that you can actually use that information to better tailor the sales process.\u003c/p\u003e\n[[PullQuote 3]]\n\u003cp\u003e\u003cstrong\u003eSimon London:\u003c/strong\u003e Which strikes me as being fine for data that\u0026rsquo;s collected now or recently. The question is, is everything that\u0026rsquo;s going into your data lake, was it collected under those types of conditions? Or is it historic data where the permissions in place at that time were not compliant with GDPR? You were not as explicit as maybe you could have been or should have been around the potential uses of the data.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eKayvaun Rowshankish:\u003c/strong\u003e This is an interesting point because these consents that are being asked for, as I was describing, if they\u0026rsquo;re written correctly, they would cover data that you\u0026rsquo;ve captured in the past. You may have them in backup, you may be using them for a variety of different purposes. And as you\u0026rsquo;re asking individuals for consent to use their PII, most institutions are creating that consent statement in pretty broad terms. The issue is, what if they say no? And they actually say, \u0026ldquo;No, we don\u0026rsquo;t want you to store PII, we want you to delete everything that you\u0026rsquo;ve got about us.\u0026rdquo; I don\u0026rsquo;t think I\u0026rsquo;ve met a single institution that has really figured out how to deal with that.\u003c/p\u003e\n\u003cp\u003eThey\u0026rsquo;re dealing with it through drawing false boundaries, let\u0026rsquo;s say, around, \u0026ldquo;OK, anything that\u0026rsquo;s in a live system, we will find a way of deleting that data about them. But if it\u0026rsquo;s in backup, if it\u0026rsquo;s on paper, then it\u0026rsquo;s not as easily discoverable anyway, so we\u0026rsquo;re not going to tackle that.\u0026rdquo;\u003c/p\u003e\n\u003cp\u003eIt\u0026rsquo;s not completely clear that that is in compliance with how the regulators are thinking about it. It\u0026rsquo;s still a bit of an ambiguous space.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eAlexis Trittipo:\u003c/strong\u003e And I think what we\u0026rsquo;re seeing across industries, is, to your point, Kayvaun, this will have to be a phased process. Most companies say, \u0026ldquo;In our live systems, yes. We can delete all your information.\u0026rdquo; I do think there needs to be a phase two and a phase three where you go into the backups and you go into the paper files and actually fully extract that person. It\u0026rsquo;ll be interesting to see how organizations take that compliance from the more immediate \u0026ldquo;in my active systems today\u0026rdquo; across to the paper files from 20 years ago as well.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eKayvaun Rowshankish:\u003c/strong\u003e And it\u0026rsquo;s interesting, at the same time, there\u0026rsquo;s a whole lot of digitization using OCR, optical character recognition, natural language processing, to extract the data that you want from PDFs and physical documents that it won\u0026rsquo;t be long before you probably shouldn\u0026rsquo;t be storing paper copies of things anyway.\u003c/p\u003e\n\u003cp\u003eStorage is getting so cheap that even the backups should be fairly accessible that if you wanted to perform against this rights to erasure, then it should be much easier than it is today in the coming years.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eSimon London:\u003c/strong\u003e So I think that\u0026rsquo;s all we have time for today. Thank you very much to Alexis, and thank you to Kayvaun. And thank you to our audience for listening. To learn more about data privacy, GDPR, risk, and regulation, please visit us at McKinsey.com.\u003c/p\u003e"},"isFullScreenInteractive":{"boolValue":false},"hideStickySocialShareBar":{"boolValue":false},"desktopID":{"value":""},"mobileID":{"value":""},"desktopURL":{"value":""},"mobileURL":{"value":""},"desktopPaddingPercentage":{"value":""},"mobilePaddingPercentage":{"value":""},"desktopOverrideHeight":{"value":""},"mobileOverrideHeight":{"value":""},"cerosOembedURL":{"value":""},"cerosRenderMode":{"targetItem":null},"cerosBackgroundColor":{"targetItem":null},"hideByLine":{"boolValue":false},"tableOfContentsTitle":{"value":"TABLE OF CONTENTS"},"accessStatus":{"targetItem":{"key":{"value":"RegisteredUsers"},"value":{"value":"Registered Users"}}},"articleType":{"targetItem":{"displayName":"Podcast"}},"hasSpecialReport":{"boolValue":false},"contentType":{"targetItem":{"displayName":"Article"}},"sourcePublication":{"targetItem":null},"externalPublication":{"value":""},"excludeFromClientLink":{"boolValue":false},"originalPublishDate":{"jsonValue":{"value":"2018-07-31T20:57:00Z"}},"footnotes":{"value":""},"contributoryPractice":{"targetItems":[]},"aboutTheAuthors":{"value":"\u003cp\u003e\u003cstrong\u003eKayvaun Rowshankish\u003c/strong\u003e is a partner in McKinsey\u0026rsquo;s New York office, where \u003cstrong\u003eAlexis Trittipo\u003c/strong\u003e is an associate partner; \u003cstrong\u003eSimon London\u003c/strong\u003e is a member of McKinsey Publishing and is based in the Silicon Valley office.\u003c/p\u003e"},"authors":{"targetItems":[]},"nonPartnerAuthors":{"targetItems":[]},"interactiveToUse":{"targetItem":null},"enableArticleComponents":{"boolValue":false},"relatedArticles":{"targetItems":[{"sourcePublication":{"targetItem":null},"publicationSource":null,"externalPublication":{"value":""},"title":{"value":"GDPR compliance since May 2018: A continuing challenge"},"url":{"path":"/capabilities/risk-and-resilience/our-insights/gdpr-compliance-after-may-2018-a-continuing-challenge"},"eyebrow":{"targetItem":{"name":"Article"}},"articleType":{"targetItem":{"name":"Article"}},"contentType":{"targetItem":{"name":"Article"}},"description":{"value":"Companies must automate and streamline, or the challenge of GDPR compliance will overwhelm them."},"standardImage":{"src":"/~/media/mckinsey/business functions/risk/our insights/gdpr compliance after may 2018 a continuing challenge/gdpr compliance_1536x1536_300.jpg","alt":"GDPR compliance since May 2018: A continuing challenge"},"heroImage":null,"thumbnailImage":null},{"sourcePublication":{"targetItem":null},"publicationSource":null,"externalPublication":{"value":""},"title":{"value":"The EU data-protection regulation\u0026mdash;compliance burden or foundation for digitization?"},"url":{"path":"/capabilities/risk-and-resilience/our-insights/the-eu-data-protection-regulation-compliance-burden-or-foundation-for-digitization"},"eyebrow":{"targetItem":{"name":"Article"}},"articleType":{"targetItem":{"name":"Article"}},"contentType":{"targetItem":{"name":"Article"}},"description":{"value":"Enhanced data protection creates a challenge, but it also offers a catalyst for digitization."},"standardImage":{"src":"/~/media/mckinsey/business functions/risk/our insights/the eu data protection regulation compliance burden or foundation for digitization/the_eu_data_protection_regulation_1536x1536_500_standard.jpg","alt":"The_EU_data_protection_regulation_1536x1536_500_Standard"},"heroImage":null,"thumbnailImage":null},{"sourcePublication":{"targetItem":null},"publicationSource":null,"externalPublication":{"value":""},"title":{"value":"Data sharing and open banking"},"url":{"path":"/industries/financial-services/our-insights/data-sharing-and-open-banking"},"eyebrow":{"targetItem":{"name":"Article"}},"articleType":{"targetItem":{"name":"Article"}},"contentType":{"targetItem":{"name":"Article"}},"description":{"value":"The potential benefits of open banking include improved customer experience, new revenue streams, and a sustainable service model for underserved markets."},"standardImage":{"src":"/~/media/mckinsey/industries/financial services/our insights/data sharing and open banking/data-sharing-and-open-banking-1536x1536-300_standard.jpg","alt":"Data-sharing-and-open-banking-1536x1536-300_Standard"},"heroImage":null,"thumbnailImage":null}]},"useEnhancedAuthors":{"boolValue":false},"acknowledgements":{"value":""},"showSocialShareFooter":{"boolValue":false},"template":{"id":"683910db-02ba-40ba-92e7-726c880160a9"},"hideFromSearchEngines":{"boolValue":false},"backgroundColor":{"targetItem":null},"gradientDirection":{"targetItem":{"key":{"value":"Bottom Right"},"value":{"value":"bottom-right"}}},"hideStickySubscriptionBar":{"value":false},"enableRegWall":{"boolValue":false},"timer":{"value":"8"},"regWallHeading":{"value":""},"showGoToHomeLink":{"boolValue":false},"regWallDescription":{"value":""},"isInsightsStorePage":{"boolValue":false},"enableRatingsForArticleBody":{"boolValue":true},"enableRatingsForMostPopular":{"boolValue":true},"showAskMcKinseyChatbot":{"boolValue":false},"selectedModalSubscriptions":{"targetItems":[]},"link1":{"queryString":"","className":"","anchor":"","linkType":"internal","url":"","text":"","targetItem":null},"link2":{"queryString":"","className":"","anchor":"","linkType":"internal","url":"","text":"","targetItem":null},"link3":{"queryString":"","className":"","anchor":"","linkType":"internal","url":"","text":"","targetItem":null},"link4":{"queryString":"","className":"","anchor":"","linkType":"internal","url":"","text":"","targetItem":null},"link5":{"queryString":"","className":"","anchor":"","linkType":"internal","url":"","text":"","targetItem":null},"fullReportPDF":{"name":"Full Report PDF","src":null,"displayName":null,"title":null,"keywords":null,"description":null,"extension":null,"mimeType":null,"size":null,"pageCount":null,"thumbnailImageSrc":""},"fullReportPDFDisplayName":{"value":""},"appendixPDF":{"name":"Appendix PDF","src":null,"displayName":null,"title":null,"keywords":null,"description":null,"extension":null,"mimeType":null,"size":null,"pageCount":null,"thumbnailImageSrc":""},"appendixPDFDisplayName":{"value":""},"articlePDF":{"name":"Article PDF","src":"/~/media/mckinsey/business functions/risk/our insights/data privacy what every manager needs to know/data-privacy-what-every-manager-needs-to-know-web-final.pdf","displayName":"Data-privacy-What-every-manager-needs-to-know-web-final","title":"Data privacy: What every manager needs to know","keywords":"","description":"","extension":"pdf","mimeType":"application/pdf","size":277702,"pageCount":"","thumbnailImageSrc":""},"briefingNotePDF":{"name":"Briefing Note PDF","src":null,"displayName":null,"title":null,"keywords":null,"description":null,"extension":null,"mimeType":null,"size":null,"pageCount":null,"thumbnailImageSrc":""},"discussionPapersPDF":{"name":"Discussion Papers PDF","src":null,"displayName":null,"title":null,"keywords":null,"description":null,"extension":null,"mimeType":null,"size":null,"pageCount":null,"thumbnailImageSrc":""},"executiveSummaryPDF":{"name":"Executive Summary PDF","src":null,"displayName":null,"title":null,"keywords":null,"description":null,"extension":null,"mimeType":null,"size":null,"pageCount":null,"thumbnailImageSrc":""},"executiveSummaryPDFDisplayName":{"value":""},"researchPreviewPDF":{"name":"Research Preview PDF","src":null,"displayName":null,"title":null,"keywords":null,"description":null,"extension":null,"mimeType":null,"size":null,"pageCount":null,"thumbnailImageSrc":""},"heroImage":{"src":null,"alt":""},"standardImage":{"src":"/~/media/mckinsey/business functions/risk/our insights/data privacy what every manager needs to know/data-privacy-what-every_913017298_1536x1536.jpg","alt":"Data privacy: What every manager needs to know"},"heroImageTopOffset":{"value":""},"headerOverlayOpacity":{"targetItem":null},"heroType":{"targetItem":{"displayName":"Existing"}},"photoOverlayOpacity":{"targetItem":null},"hideHero":{"boolValue":false},"renderStackedHeroLayoutForMobile":{"boolValue":false},"articleHeroVideoId":{"value":""},"podcastHeroOmnyAudioID":{"value":""},"heroBespokeInteractiveID":{"value":""},"bespokeHeroRenderMode":{"targetItem":null},"audio":{"results":[{"id":"A49E6712B0C94B19B3CBBDBDA2B2718F","omnyPlayerAudioURL":{"value":"https://omny.fm/shows/the-mckinsey-podcast/data-privacy-what-every-manager-needs-to-know/embed?style=artwork"},"iTunesURL":{"value":""},"soundcloudAudioFile":{"value":""},"displayNumber":{"value":""},"headline":{"jsonValue":{"value":""}},"mediaEyebrow":{"jsonValue":{"value":""}},"description":{"jsonValue":{"value":""}},"libraryAudioFile":{"src":null},"renderMode":{"targetItem":{"key":{"value":"Center"},"value":{"value":"small-span-center"}}},"hideMediaEyebrow":{"boolValue":false},"mediaID":{"value":"1"},"template":{"name":"Audio"}}]},"disruptor1up":{"results":[{"title":{"value":"Would you like to learn more about our \u003ca href=\"/capabilities/risk-and-resilience/how-we-help-clients\"\u003eRisk Practice\u003c/a\u003e?"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"LinkType":"internal","Title":"","Text":"Visit our Risk \u0026 Regulation page","Url":"/capabilities/risk-and-resilience/how-we-help-clients/risk-and-regulation","Target":"","CssClass":"","QueryString":"","Anchor":"","LinkTitle":"Risk and Regulation"}]}},"mediaID":{"value":"1"},"template":{"name":"Disruptor 1Up"}},{"mediaID":{"value":"cop"},"title":{"value":"Explore COP29 with McKinsey"},"description":{"value":"Join our series of dynamic virtual events during COP29. Discover new research, practical strategies, and collaborations across sectors to move climate action beyond why to how."},"image":{"src":"/~/media/mckinsey/business functions/sustainability/how we help clients/cop/cop29/cop_29_thumb.jpg","alt":"McKinsey at COP29"},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"external","Target":"","Text":"Register","Title":"","Url":"https://mckinsey.cventevents.com/Q2MVE1?rt=RrQJ1iBSfEiqSK7N9VAGCw\u0026RefId=cop"}]}}},{"mediaID":{"value":"attheedge"},"title":{"value":"Subscribe to the \u003cem\u003eAt the Edge\u003c/em\u003e podcast"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"external","Target":"","Text":"Apple Podcasts","Title":"","Url":"https://podcasts.apple.com/us/podcast/at-the-edge/id1612870236"},{"CssClass":"btn btn-fill","LinkType":"external","Target":"","Text":"Spotify","Title":"","Url":"https://open.spotify.com/show/3SnUcezwM20nKnzqvUl6iF"}]}}},{"mediaID":{"value":"authortalks"},"title":{"value":"Visit \u003cem\u003e\u003ca href=\"/featured-insights/mckinsey-on-books/author-talks\"\u003eAuthor Talks\u003c/a\u003e\u003c/em\u003e to see the full series."},"description":{"value":""},"image":{"src":"/~/media/mckinsey/featured insights/mckinsey books/author talks/authortalks_1536x1536_v1.png","alt":"Author Talks"},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"internal","Target":"","Text":"Learn more","Title":"","Url":"/featured-insights/mckinsey-on-books/author-talks"}]}}},{"mediaID":{"value":"COVID"},"title":{"value":"Explore McKinsey’s ongoing coverage of the pandemic"},"description":{"value":""},"image":{"src":"/~/media/mckinsey/business functions/risk/our insights/covid 19 implications for business/implications-briefing-note-4-standard-1536x1536.jpg","alt":"COVID-19: Implications for business"},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"internal","Target":"","Text":"Read more about the business impact of coronavirus and how organizations can respond","Title":"","Url":"/featured-insights/coronavirus-leading-through-the-crisis"}]}}},{"mediaID":{"value":"CE"},"title":{"value":"Customer experience"},"description":{"value":"More insight into creating competitive advantage by putting customers first and managing their journeys."},"image":{"src":"/~/media/mckinsey/industries/public and social sector/our insights/customer experience/customer-experience_22934010_1536x864.jpg","alt":"Customer experience"},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"internal","Target":"","Text":"Learn more","Title":"","Url":""}]}}},{"mediaID":{"value":"driversofdisruption"},"title":{"value":"Want to subscribe to \u003ca href=\"/features/mckinsey-center-for-future-mobility/our-insights/drivers-of-disruption\"\u003e\u003cem\u003eDrivers of Disruption\u003c/em\u003e\u003c/a\u003e?"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"external","Target":"","Text":"Apple Podcasts","Title":"","Url":"https://podcasts.apple.com/us/podcast/drivers-of-disruption/id1687257324"},{"CssClass":"btn btn-fill","LinkType":"external","Target":"","Text":"Spotify","Title":"","Url":"https://open.spotify.com/show/5fWXzWmVKacc5I7u9CQsah?si=KQ-wUOSyQlqcnfexExiH9Q\u0026nd=1"}]}}},{"mediaID":{"value":"JOL"},"title":{"value":"The Journey of Leadership"},"description":{"value":"\u003cstrong\u003eHow CEOs Learn to Lead from the Inside Out\u003c/strong\u003e\u003cbr /\u003e\nBy \u003ca href=\"/our-people/dana-maor\"\u003eDana Maor\u003c/a\u003e, \u003ca href=\"https://www.linkedin.com/in/hanswernerkaas\"\u003eHans-Werner Kaas\u003c/a\u003e, \u003ca href=\"/our-people/kurt-strovink\"\u003eKurt Strovink\u003c/a\u003e, and \u003ca href=\"/our-people/ramesh-srinivasan\"\u003eRamesh Srinivasan\u003c/a\u003e"},"image":{"src":"/~/media/mckinsey/featured insights/mckinsey books/journey of leadership/journey-of-leadership-book-cover-1536x1536.jpg","alt":"The Journey of Leadership book cover"},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"internal","Target":"","Text":"Learn more","Title":"","Url":"/featured-insights/mckinsey-on-books/journey-of-leadership"}]}}},{"mediaID":{"value":"surveys"},"title":{"value":"McKinsey\u0026rsquo;s original survey research"},"description":{"value":""},"image":{"src":"/~/media/mckinsey/featured insights/mckinsey global surveys/mck-global-survey-landing-1284442931-thumb-1536x1536.jpg","alt":"McKinsey Global Surveys"},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"internal","Target":"","Text":"Read more","Title":"","Url":"/featured-insights/mckinsey-global-surveys"}]}}},{"mediaID":{"value":"healthcarepodcast"},"title":{"value":"Want to subscribe to \u003cem\u003eMcKinsey on Healthcare\u003c/em\u003e?"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"external","Target":"","Text":"Apple Podcasts","Title":"","Url":"https://podcasts.apple.com/us/podcast/mckinsey-on-healthcare/id1469979748"},{"CssClass":"btn btn-fill","LinkType":"external","Target":"","Text":"Spotify","Title":"","Url":"https://open.spotify.com/show/3y1AgAilV4E5Jz0x4wD9O2?si=mLCTUQ2ORTS_LC5gW_htlA\u0026dl_branch=1"}]}}},{"mediaID":{"value":"myleadershipjourney"},"title":{"value":"My Leadership Journey"},"description":{"value":"A series of conversations with leaders about the people and experiences that shaped them"},"image":{"src":"/~/media/mckinsey/business functions/people and organizational performance/our insights/my leadership journey/my leadership journey collection page_131575496_thumb_1536x1536.jpg","alt":"My Leadership Journey"},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"internal","Target":"","Text":"Learn more","Title":"","Url":"/capabilities/people-and-organizational-performance/our-insights/my-leadership-journey"}]}}},{"mediaID":{"value":"lessonsfromleaders"},"title":{"value":"State of Organizations: Lessons from leaders"},"description":{"value":""},"image":{"src":"/~/media/mckinsey/business functions/people and organizational performance/our insights/state of org lessons from leaders/soo-chapter-2-872507320-standard-1536x1536.jpg","alt":"\"\""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"internal","Target":"","Text":"Explore more interviews","Title":"","Url":"/capabilities/people-and-organizational-performance/our-insights/lessons-from-leaders"}]}}},{"mediaID":{"value":"stateoforg"},"title":{"value":"The State of Organizations 2023"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"internal","Target":"","Text":"Report overview","Title":"","Url":"/capabilities/people-and-organizational-performance/our-insights/the-state-of-organizations-2023"}]}}},{"mediaID":{"value":"titaniumeconomy"},"title":{"value":"The Titanium Economy"},"description":{"value":"How Industrial Technology Can Create a Better, Faster, Stronger America\u003cbr /\u003e\nBy \u003ca href=\"/our-people/asutosh-padhi\"\u003eAsutosh Padhi\u003c/a\u003e, Gaurav Batra, and \u003ca href=\"https://fernweh.com/nick-santhanam/\"\u003eNick Santhanam\u003c/a\u003e"},"image":{"src":"/~/media/mckinsey/featured insights/mckinsey books/the titanium economy/titanium_3d-1536x1536-hero-trans.png","alt":"The Titanium Economy Book cover"},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"internal","Target":"","Text":"Learn more","Title":"","Url":"/featured-insights/mckinsey-on-books/the-titanium-economy"}]}}},{"mediaID":{"value":"GII"},"title":{"value":"Global Infrastructure Initiative"},"description":{"value":"Convening global leaders in infrastructure and capital projects in pursuit of new solutions"},"image":{"src":"/~/media/mckinsey/business functions/operations/our insights/the global infrastructure initiative/jpg-cpi-improving-construction-productivity-1536x864.jpg","alt":"Improving construction productivity"},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"external","Target":"","Text":"Learn more","Title":"","Url":"http://www.globalinfrastructureinitiative.com/"}]}}},{"mediaID":{"value":"FOApodcast"},"title":{"value":"Subscribe to \u003ca href=\"/featured-insights/future-of-asia/future-of-asia-podcasts\"\u003e\u003cem\u003eFuture of Asia Podcasts\u003c/em\u003e\u003c/a\u003e"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"external","Target":"","Text":"Apple Podcasts","Title":"","Url":"https://podcasts.apple.com/us/podcast/future-of-asia/id1480316959"},{"CssClass":"btn btn-fill","LinkType":"external","Target":"","Text":"Spotify","Title":"","Url":"https://open.spotify.com/show/2CZX4AR2DT4hQCFKJG0cCv?si=B20tkrOmQYymuCUhKCQOwA"}]}}},{"mediaID":{"value":"logisticsdisruptors"},"title":{"value":"Logistics Disruptors"},"description":{"value":"Meet the companies shaping how goods will move tomorrow."},"image":{"src":"/~/media/mckinsey/industries/travel logistics and infrastructure/our insights/logistics disruptors/tli-logistics-disruptors-1536x1536.jpeg","alt":"illustration autonomous truck driving off into the future"},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"internal","Target":"","Text":"Learn more","Title":"","Url":"/industries/logistics/our-insights/logistics-disruptors"}]}}},{"mediaID":{"value":"mckinseyexplainers"},"title":{"value":"Looking for direct answers to other complex questions?"},"description":{"value":""},"image":{"src":"/~/media/mckinsey/featured insights/mckinsey explainers/mckinseyexplainers-flat-thumb-1536x1536.jpg","alt":"Circular, white maze filled with white semicircles."},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"internal","Target":"","Text":"Explore the full McKinsey Explainers series","Title":"","Url":"/featured-insights/mckinsey-explainers"}]}}},{"mediaID":{"value":"livesandlegacies"},"title":{"value":"\u003cem\u003e\u003ca href=\"/featured-insights/mckinsey-on-lives-and-legacies\"\u003eMcKinsey on Lives \u0026amp; Legacies\u003c/a\u003e\u003c/em\u003e"},"description":{"value":"Highlighting the lasting impact of leaders and executives"},"image":{"src":"/~/media/mckinsey/featured insights/mckinsey on lives and legacies/lives-and-legacies-landing-page-thumb-1536x1536.jpg","alt":"McKinsey on Lives \u0026 Legacies"},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"internal","Target":"","Text":"Explore previous obituaries","Title":"","Url":"/featured-insights/mckinsey-on-lives-and-legacies"}]}}},{"mediaID":{"value":"Strategy"},"title":{"value":"Strategy in a digital age"},"description":{"value":"Our series on developing corporate and business-unit strategies in a digitally disrupted world."},"image":{"src":"/~/media/mckinsey/business functions/mckinsey digital/our insights/strategy in a digital age/digital-strategy_1536x864_flexpromoimage.jpg","alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"internal","Target":"","Text":"View the collection","Title":"","Url":"/featured-insights/strategy-in-a-digital-age"}]}}},{"mediaID":{"value":"great"},"title":{"value":"The great re-make: Manufacturing for modern times"},"description":{"value":"This 21-article compendium gives practical insights for manufacturing leaders looking to keep a step ahead of today\u0026rsquo;s disruptions."},"image":{"src":"/~/media/mckinsey/business functions/operations/our insights/the great remake manufacturing for modern times/jpg-ops-dm-compendium-cover-1536x864.jpg","alt":"The great re-make: Manufacturing for modern times"},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"internal","Target":"","Text":"View the collection","Title":"","Url":"/capabilities/operations/our-insights/the-great-re-make-manufacturing-for-modern-times-compendium"}]}}},{"mediaID":{"value":"futureofamerica"},"title":{"value":"Subscribe to the \u003cem\u003eFuture of America\u003c/em\u003e podcast"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"external","Target":"_blank","Text":"Apple Podcasts","Title":"","Url":"https://podcasts.apple.com/us/podcast/future-of-america/id1616517376"},{"CssClass":"btn btn-fill","LinkType":"external","Target":"","Text":"Spotify","Title":"","Url":"https://open.spotify.com/show/0FpeyjojJTKf2hVtQ3otah"}]}}},{"mediaID":{"value":"governmentpodcast"},"title":{"value":"Subscribe to the \u003cem\u003eMcKinsey on Government\u003c/em\u003e podcast"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"external","Target":"_blank","Text":"Apple Podcasts","Title":"","Url":"https://podcasts.apple.com/us/podcast/mckinsey-on-government/id1573645359"},{"CssClass":"btn btn-fill","LinkType":"external","Target":"","Text":"Spotify","Title":"","Url":"https://open.spotify.com/show/61XsO4B2ersroMft8t3KSq"}]}}},{"mediaID":{"value":"podcast"},"title":{"value":"Want to subscribe to the McKinsey Podcast?\n"},"description":{"value":"\u003cdiv class=\"cta-container -align-horizontal\"\u003e\n \u003ca href=\"#\" class=\"btn btn-fill\"\u003eGoogle Play\u003c/a\u003e\n \u003ca href=\"#\" class=\"btn btn-fill\"\u003eiTunes\u003c/a\u003e\n \u003ca href=\"#\" class=\"btn btn-fill\"\u003eStitcher\u003c/a\u003e\n \u003ca href=\"#\" class=\"btn mck-rss-icon\"\u003eRSS\u003c/a\u003e\n\u003c/div\u003e"},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[]}}},{"mediaID":{"value":"operationspodcast"},"title":{"value":"Subscribe to the \u003cem\u003eMcKinsey Talks Operations\u003c/em\u003e podcast"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"external","Target":"_blank","Text":"Apple Podcasts","Title":"","Url":"https://podcasts.apple.com/us/podcast/mckinsey-talks-operations/id1598128813"},{"CssClass":"btn btn-fill","LinkType":"external","Target":"","Text":"Spotify","Title":"","Url":"https://open.spotify.com/show/7LYQS2fxAoBmC3LgFNJbi8"}]}}},{"mediaID":{"value":"energyinsights"},"title":{"value":"Speak to an expert about our upstream capabilities"},"description":{"value":""},"image":{"src":"/~/media/mckinsey/industries/oil and gas/how we help clients/energy insights/newsletter-signup-promo-bar-1536x768.jpg","alt":"EI newsletter sign up"},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"internal","Target":"","Text":"Contact us","Title":"","Url":"/industries/oil-and-gas/how-we-help-clients/energy-solutions/contact-us"}]}}},{"mediaID":{"value":"buildingproductspodcast"},"title":{"value":"Subscribe to the \u003cem\u003eMcKinsey on Building Products\u003c/em\u003e podcast"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"external","Target":"_blank","Text":"Apple Podcasts","Title":"","Url":"https://podcasts.apple.com/us/podcast/mckinsey-on-building-product/id1735607317"},{"CssClass":"btn btn-fill","LinkType":"external","Target":"_blank","Text":"Spotify","Title":"","Url":"https://open.spotify.com/show/79pncGJtBtzz7pFoR6OiH8"},{"CssClass":"","LinkType":"internal","Target":"","Text":"Listen to previous episodes","Title":"","Url":"/capabilities/people-and-organizational-performance/how-we-help-clients/mckinsey-academy/product-academy/mckinsey-on-building-product"}]}}},{"mediaID":{"value":"talentpodcast"},"title":{"value":"Subscribe to the \u003cem\u003eMcKinsey Talks Talent\u003c/em\u003e podcast"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"external","Target":"_blank","Text":"Apple Podcasts","Title":"","Url":"https://podcasts.apple.com/us/podcast/mckinsey-talks-talent/id1491112396"},{"CssClass":"btn btn-fill","LinkType":"external","Target":"","Text":"Spotify","Title":"","Url":"https://open.spotify.com/show/5sW4eHEFMbOvAFJjMfN9a6"}]}}},{"mediaID":{"value":"outlook"},"title":{"value":"A longer, more comprehensive version of our Global Oil Supply \u0026 Demand Outlook is available for purchase upon request.\n"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"internal","Target":"","Text":"Contact us","Title":"","Url":"/industries/oil-and-gas/how-we-help-clients/energy-solutions/contact-us"}]}}},{"mediaID":{"value":"talentpodcast2"},"title":{"value":"\u003cem\u003eMcKinsey Talks Talent\u003c/em\u003e Podcast"},"description":{"value":"Bryan Hancock, Brooke Weddle, and other talent experts help you navigate a fast-changing landscape and prepare for the future of work by making talent a competitive advantage."},"image":{"src":"/~/media/mckinsey/business functions/people and organizational performance/mckinsey talks talent/mck-mtt-disruptor-full-1536x864-smoke-may-2021.jpg","alt":"McKinsey Talks Talent"},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"internal","Target":"","Text":"See more episodes","Title":"","Url":"/capabilities/people-and-organizational-performance/mckinsey-talks-talent-podcast"}]}}},{"mediaID":{"value":"investing"},"title":{"value":"Subscribe to McKinsey on Investing"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"internal","Target":"","Text":"Learn more","Title":"","Url":"/industries/private-capital/our-insights/mckinsey-on-investing-issue-1/contact"}]}}},{"mediaID":{"value":"women matter"},"title":{"value":"Subscribe to McKinsey \u003cem\u003eWomen Matter Canada\u003c/em\u003e"},"description":{"value":"Please subscribe if your organization is interested in learning about participating in future research."},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"internal","Target":"","Text":"Learn more","Title":"","Url":""}]}}},{"mediaID":{"value":"customs"},"title":{"value":"This article was written as part of a larger research effort to identify opportunities for improvement and innovation at customs agencies globally."},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"internal","Target":"","Text":"Learn more","Title":"","Url":"/industries/public-sector/our-insights/contact"}]}}},{"mediaID":{"value":"tech"},"title":{"value":"\u003cspan class=\"disrupt-ab\"\u003eCreating value beyond the hype\u003c/span\u003e"},"description":{"value":"Let\u0026rsquo;s deliver on the promise of technology from strategy to scale."},"image":{"src":"/~/media/mckinsey/business functions/mckinsey digital/how we help clients/2024/never-just-tech_thumb_1536x1536.jpg","alt":"Never just tech"},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"external","Target":"","Text":"Get started","Title":"","Url":"https://www.mckinsey.com/capabilities/mckinsey-digital/how-we-help-clients?cid=njt-ste-crk-mbm-mbm--2403-promo01-njt-bam-web"}]}}},{"mediaID":{"value":"sust"},"title":{"value":"\u003cspan class=\"disrupt-ab\"\u003eMove from plans to progress.\u003c/span\u003e"},"description":{"value":"Sustainability matters. Together we’ll make it real."},"image":{"src":"/~/media/mckinsey/business functions/sustainability/how we help clients/sustainability-campaign_promo-thumb_1536x1536.jpg","alt":"Move from plans to progress."},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"external","Target":"","Text":"Get started","Title":"","Url":"https://www.mckinsey.com/capabilities/sustainability/how-we-help-clients/?cid=susti24-ste-crk-mbm-m01-other-glb-web"}]}}},{"mediaID":{"value":"nwowpodcast"},"title":{"value":"Subscribe to the New World of Work podcast"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"external","Target":"_blank","Text":"Apple Podcasts","Title":"","Url":"https://itunes.apple.com/us/podcast/the-new-world-of-work/id1319502839?mt=2"},{"CssClass":"btn btn-fill","LinkType":"external","Target":"","Text":"Spotify","Title":"","Url":"https://open.spotify.com/show/3S6fHLW6mcbDJDp1wkArKI"}]}}},{"mediaID":{"value":"globalpodcast"},"title":{"value":"Want to subscribe to \u003cem\u003eThe McKinsey Podcast\u003c/em\u003e?"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"external","Target":"_blank","Text":"Apple Podcasts","Title":"","Url":"https://itunes.apple.com/us/podcast/the-mckinsey-podcast/id285260960?mt=2"},{"CssClass":"btn btn-fill","LinkType":"external","Target":"","Text":"Spotify","Title":"","Url":"https://open.spotify.com/show/4dyjRTP9xzEUPgleo6XjXI"},{"CssClass":"btn btn-fill","LinkType":"external","Target":"_blank","Text":"YouTube","Title":"","Url":"https://www.youtube.com/@McKinsey/podcasts"},{"CssClass":"","LinkType":"internal","Target":"","Text":"Listen to previous episodes","Title":"","Url":"/featured-insights/mckinsey-podcast"}]}}},{"mediaID":{"value":"Qaudio"},"title":{"value":"Discover and subscribe to McKinsey Quarterly Audio"},"description":{"value":"\u003cstrong\u003eFive ways to subscribe:\u003c/strong\u003e"},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"external","Target":"_blank","Text":"Apple Podcasts","Title":"","Url":"https://itunes.apple.com/us/podcast/mckinsey-quarterly-audio/id1437925222?mt=2"},{"CssClass":"btn btn-fill","LinkType":"external","Target":"","Text":"Spotify","Title":"","Url":"https://open.spotify.com/show/5mb2zYJnrPcRrML8gx5doD"}]}}},{"mediaID":{"value":"shortlist"},"title":{"value":"Subscribe to the Shortlist"},"description":{"value":"McKinsey\u0026rsquo;s new weekly newsletter, featuring must-read content on a range of topics, every Friday"},"image":{"src":"/~/media/mckinsey/email/shortlist/template/shortlist_promo-interrupter-849120982_1536x1536.jpg","alt":"the Shortlist"},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"internal","Target":"","Text":"Get the Shortlist in your inbox","Title":"","Url":"/user-registration/manage-account/edit-subscriptions"}]}}},{"mediaID":{"value":"retailpodcast"},"title":{"value":"Subscribe to the \u003cem\u003eMcKinsey on Consumer and Retail\u003c/em\u003e podcast"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"external","Target":"_blank","Text":"Apple Podcasts","Title":"","Url":"https://podcasts.apple.com/us/podcast/mckinsey-on-consumer-and-retail/id1526250428"},{"CssClass":"btn btn-fill","LinkType":"external","Target":"_blank","Text":"Spotify","Title":"","Url":"https://open.spotify.com/show/41D4bro8PPDOGhEgOEJyHB?si=7l3SeYCZQD-7v3toqd9fHQ"}]}}},{"mediaID":{"value":"insurancepodcast"},"title":{"value":"Want to subscribe to the \u003cem\u003eMcKinsey on Insurance\u003c/em\u003e podcast?"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"external","Target":"_blank","Text":"Apple Podcasts","Title":"","Url":"https://podcasts.apple.com/us/podcast/mckinsey-on-insurance/id1533196359"},{"CssClass":"btn btn-fill","LinkType":"external","Target":"_blank","Text":"Spotify","Title":"","Url":"https://open.spotify.com/show/5gZ6YKF7n7C9zWaER4mFZ5"}]}}},{"mediaID":{"value":"strategypodcast"},"title":{"value":"Subscribe to the \u003cem\u003eInside the Strategy Room\u003c/em\u003e podcast"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"external","Target":"_blank","Text":"Apple Podcasts","Title":"","Url":"https://itunes.apple.com/us/podcast/inside-the-strategy-room/id1422814215?mt=2"},{"CssClass":"btn btn-fill","LinkType":"external","Target":"","Text":"Spotify","Title":"","Url":"https://open.spotify.com/show/4TcFfiQ0e6OYuc5kRDLxqj"}]}}},{"mediaID":{"value":"mgipodcast"},"title":{"value":"Subscribe to the \u003cem\u003eForward Thinking\u003c/em\u003e podcast"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"external","Target":"_blank","Text":"Apple Podcasts","Title":"","Url":"https://podcasts.apple.com/us/podcast/forward-thinking/id1319502839"},{"CssClass":"btn btn-fill","LinkType":"external","Target":"_blank","Text":"Spotify","Title":"","Url":"https://open.spotify.com/show/3S6fHLW6mcbDJDp1wkArKI?si=0zvPmiCsQ7SBAPanfpY4aA\u0026nd=1"},{"CssClass":"","LinkType":"internal","Target":"","Text":"Listen to previous episodes","Title":"","Url":"/mgi/forward-thinking"}]}}}]},"globalDisruptors":{"disruptor1up":{"results":[{"mediaID":{"value":"cop"},"title":{"value":"Explore COP29 with McKinsey"},"description":{"value":"Join our series of dynamic virtual events during COP29. Discover new research, practical strategies, and collaborations across sectors to move climate action beyond why to how."},"image":{"src":"/~/media/mckinsey/business functions/sustainability/how we help clients/cop/cop29/cop_29_thumb.jpg","alt":"McKinsey at COP29"},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"external","Target":"","Text":"Register","Title":"","Url":"https://mckinsey.cventevents.com/Q2MVE1?rt=RrQJ1iBSfEiqSK7N9VAGCw\u0026RefId=cop"}]}}},{"mediaID":{"value":"attheedge"},"title":{"value":"Subscribe to the \u003cem\u003eAt the Edge\u003c/em\u003e podcast"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"external","Target":"","Text":"Apple Podcasts","Title":"","Url":"https://podcasts.apple.com/us/podcast/at-the-edge/id1612870236"},{"CssClass":"btn btn-fill","LinkType":"external","Target":"","Text":"Spotify","Title":"","Url":"https://open.spotify.com/show/3SnUcezwM20nKnzqvUl6iF"}]}}},{"mediaID":{"value":"authortalks"},"title":{"value":"Visit \u003cem\u003e\u003ca href=\"/featured-insights/mckinsey-on-books/author-talks\"\u003eAuthor Talks\u003c/a\u003e\u003c/em\u003e to see the full series."},"description":{"value":""},"image":{"src":"/~/media/mckinsey/featured insights/mckinsey books/author talks/authortalks_1536x1536_v1.png","alt":"Author Talks"},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"internal","Target":"","Text":"Learn more","Title":"","Url":"/featured-insights/mckinsey-on-books/author-talks"}]}}},{"mediaID":{"value":"COVID"},"title":{"value":"Explore McKinsey’s ongoing coverage of the pandemic"},"description":{"value":""},"image":{"src":"/~/media/mckinsey/business functions/risk/our insights/covid 19 implications for business/implications-briefing-note-4-standard-1536x1536.jpg","alt":"COVID-19: Implications for business"},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"internal","Target":"","Text":"Read more about the business impact of coronavirus and how organizations can respond","Title":"","Url":"/featured-insights/coronavirus-leading-through-the-crisis"}]}}},{"mediaID":{"value":"CE"},"title":{"value":"Customer experience"},"description":{"value":"More insight into creating competitive advantage by putting customers first and managing their journeys."},"image":{"src":"/~/media/mckinsey/industries/public and social sector/our insights/customer experience/customer-experience_22934010_1536x864.jpg","alt":"Customer experience"},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"internal","Target":"","Text":"Learn more","Title":"","Url":""}]}}},{"mediaID":{"value":"driversofdisruption"},"title":{"value":"Want to subscribe to \u003ca href=\"/features/mckinsey-center-for-future-mobility/our-insights/drivers-of-disruption\"\u003e\u003cem\u003eDrivers of Disruption\u003c/em\u003e\u003c/a\u003e?"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"external","Target":"","Text":"Apple Podcasts","Title":"","Url":"https://podcasts.apple.com/us/podcast/drivers-of-disruption/id1687257324"},{"CssClass":"btn btn-fill","LinkType":"external","Target":"","Text":"Spotify","Title":"","Url":"https://open.spotify.com/show/5fWXzWmVKacc5I7u9CQsah?si=KQ-wUOSyQlqcnfexExiH9Q\u0026nd=1"}]}}},{"mediaID":{"value":"JOL"},"title":{"value":"The Journey of Leadership"},"description":{"value":"\u003cstrong\u003eHow CEOs Learn to Lead from the Inside Out\u003c/strong\u003e\u003cbr /\u003e\nBy \u003ca href=\"/our-people/dana-maor\"\u003eDana Maor\u003c/a\u003e, \u003ca href=\"https://www.linkedin.com/in/hanswernerkaas\"\u003eHans-Werner Kaas\u003c/a\u003e, \u003ca href=\"/our-people/kurt-strovink\"\u003eKurt Strovink\u003c/a\u003e, and \u003ca href=\"/our-people/ramesh-srinivasan\"\u003eRamesh Srinivasan\u003c/a\u003e"},"image":{"src":"/~/media/mckinsey/featured insights/mckinsey books/journey of leadership/journey-of-leadership-book-cover-1536x1536.jpg","alt":"The Journey of Leadership book cover"},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"internal","Target":"","Text":"Learn more","Title":"","Url":"/featured-insights/mckinsey-on-books/journey-of-leadership"}]}}},{"mediaID":{"value":"surveys"},"title":{"value":"McKinsey\u0026rsquo;s original survey research"},"description":{"value":""},"image":{"src":"/~/media/mckinsey/featured insights/mckinsey global surveys/mck-global-survey-landing-1284442931-thumb-1536x1536.jpg","alt":"McKinsey Global Surveys"},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"internal","Target":"","Text":"Read more","Title":"","Url":"/featured-insights/mckinsey-global-surveys"}]}}},{"mediaID":{"value":"healthcarepodcast"},"title":{"value":"Want to subscribe to \u003cem\u003eMcKinsey on Healthcare\u003c/em\u003e?"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"external","Target":"","Text":"Apple Podcasts","Title":"","Url":"https://podcasts.apple.com/us/podcast/mckinsey-on-healthcare/id1469979748"},{"CssClass":"btn btn-fill","LinkType":"external","Target":"","Text":"Spotify","Title":"","Url":"https://open.spotify.com/show/3y1AgAilV4E5Jz0x4wD9O2?si=mLCTUQ2ORTS_LC5gW_htlA\u0026dl_branch=1"}]}}},{"mediaID":{"value":"myleadershipjourney"},"title":{"value":"My Leadership Journey"},"description":{"value":"A series of conversations with leaders about the people and experiences that shaped them"},"image":{"src":"/~/media/mckinsey/business functions/people and organizational performance/our insights/my leadership journey/my leadership journey collection page_131575496_thumb_1536x1536.jpg","alt":"My Leadership Journey"},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"internal","Target":"","Text":"Learn more","Title":"","Url":"/capabilities/people-and-organizational-performance/our-insights/my-leadership-journey"}]}}},{"mediaID":{"value":"lessonsfromleaders"},"title":{"value":"State of Organizations: Lessons from leaders"},"description":{"value":""},"image":{"src":"/~/media/mckinsey/business functions/people and organizational performance/our insights/state of org lessons from leaders/soo-chapter-2-872507320-standard-1536x1536.jpg","alt":"\"\""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"internal","Target":"","Text":"Explore more interviews","Title":"","Url":"/capabilities/people-and-organizational-performance/our-insights/lessons-from-leaders"}]}}},{"mediaID":{"value":"stateoforg"},"title":{"value":"The State of Organizations 2023"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"internal","Target":"","Text":"Report overview","Title":"","Url":"/capabilities/people-and-organizational-performance/our-insights/the-state-of-organizations-2023"}]}}},{"mediaID":{"value":"titaniumeconomy"},"title":{"value":"The Titanium Economy"},"description":{"value":"How Industrial Technology Can Create a Better, Faster, Stronger America\u003cbr /\u003e\nBy \u003ca href=\"/our-people/asutosh-padhi\"\u003eAsutosh Padhi\u003c/a\u003e, Gaurav Batra, and \u003ca href=\"https://fernweh.com/nick-santhanam/\"\u003eNick Santhanam\u003c/a\u003e"},"image":{"src":"/~/media/mckinsey/featured insights/mckinsey books/the titanium economy/titanium_3d-1536x1536-hero-trans.png","alt":"The Titanium Economy Book cover"},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"internal","Target":"","Text":"Learn more","Title":"","Url":"/featured-insights/mckinsey-on-books/the-titanium-economy"}]}}},{"mediaID":{"value":"GII"},"title":{"value":"Global Infrastructure Initiative"},"description":{"value":"Convening global leaders in infrastructure and capital projects in pursuit of new solutions"},"image":{"src":"/~/media/mckinsey/business functions/operations/our insights/the global infrastructure initiative/jpg-cpi-improving-construction-productivity-1536x864.jpg","alt":"Improving construction productivity"},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"external","Target":"","Text":"Learn more","Title":"","Url":"http://www.globalinfrastructureinitiative.com/"}]}}},{"mediaID":{"value":"FOApodcast"},"title":{"value":"Subscribe to \u003ca href=\"/featured-insights/future-of-asia/future-of-asia-podcasts\"\u003e\u003cem\u003eFuture of Asia Podcasts\u003c/em\u003e\u003c/a\u003e"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"external","Target":"","Text":"Apple Podcasts","Title":"","Url":"https://podcasts.apple.com/us/podcast/future-of-asia/id1480316959"},{"CssClass":"btn btn-fill","LinkType":"external","Target":"","Text":"Spotify","Title":"","Url":"https://open.spotify.com/show/2CZX4AR2DT4hQCFKJG0cCv?si=B20tkrOmQYymuCUhKCQOwA"}]}}},{"mediaID":{"value":"logisticsdisruptors"},"title":{"value":"Logistics Disruptors"},"description":{"value":"Meet the companies shaping how goods will move tomorrow."},"image":{"src":"/~/media/mckinsey/industries/travel logistics and infrastructure/our insights/logistics disruptors/tli-logistics-disruptors-1536x1536.jpeg","alt":"illustration autonomous truck driving off into the future"},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"internal","Target":"","Text":"Learn more","Title":"","Url":"/industries/logistics/our-insights/logistics-disruptors"}]}}},{"mediaID":{"value":"mckinseyexplainers"},"title":{"value":"Looking for direct answers to other complex questions?"},"description":{"value":""},"image":{"src":"/~/media/mckinsey/featured insights/mckinsey explainers/mckinseyexplainers-flat-thumb-1536x1536.jpg","alt":"Circular, white maze filled with white semicircles."},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"internal","Target":"","Text":"Explore the full McKinsey Explainers series","Title":"","Url":"/featured-insights/mckinsey-explainers"}]}}},{"mediaID":{"value":"livesandlegacies"},"title":{"value":"\u003cem\u003e\u003ca href=\"/featured-insights/mckinsey-on-lives-and-legacies\"\u003eMcKinsey on Lives \u0026amp; Legacies\u003c/a\u003e\u003c/em\u003e"},"description":{"value":"Highlighting the lasting impact of leaders and executives"},"image":{"src":"/~/media/mckinsey/featured insights/mckinsey on lives and legacies/lives-and-legacies-landing-page-thumb-1536x1536.jpg","alt":"McKinsey on Lives \u0026 Legacies"},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"internal","Target":"","Text":"Explore previous obituaries","Title":"","Url":"/featured-insights/mckinsey-on-lives-and-legacies"}]}}},{"mediaID":{"value":"Strategy"},"title":{"value":"Strategy in a digital age"},"description":{"value":"Our series on developing corporate and business-unit strategies in a digitally disrupted world."},"image":{"src":"/~/media/mckinsey/business functions/mckinsey digital/our insights/strategy in a digital age/digital-strategy_1536x864_flexpromoimage.jpg","alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"internal","Target":"","Text":"View the collection","Title":"","Url":"/featured-insights/strategy-in-a-digital-age"}]}}},{"mediaID":{"value":"great"},"title":{"value":"The great re-make: Manufacturing for modern times"},"description":{"value":"This 21-article compendium gives practical insights for manufacturing leaders looking to keep a step ahead of today\u0026rsquo;s disruptions."},"image":{"src":"/~/media/mckinsey/business functions/operations/our insights/the great remake manufacturing for modern times/jpg-ops-dm-compendium-cover-1536x864.jpg","alt":"The great re-make: Manufacturing for modern times"},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"internal","Target":"","Text":"View the collection","Title":"","Url":"/capabilities/operations/our-insights/the-great-re-make-manufacturing-for-modern-times-compendium"}]}}},{"mediaID":{"value":"futureofamerica"},"title":{"value":"Subscribe to the \u003cem\u003eFuture of America\u003c/em\u003e podcast"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"external","Target":"_blank","Text":"Apple Podcasts","Title":"","Url":"https://podcasts.apple.com/us/podcast/future-of-america/id1616517376"},{"CssClass":"btn btn-fill","LinkType":"external","Target":"","Text":"Spotify","Title":"","Url":"https://open.spotify.com/show/0FpeyjojJTKf2hVtQ3otah"}]}}},{"mediaID":{"value":"governmentpodcast"},"title":{"value":"Subscribe to the \u003cem\u003eMcKinsey on Government\u003c/em\u003e podcast"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"external","Target":"_blank","Text":"Apple Podcasts","Title":"","Url":"https://podcasts.apple.com/us/podcast/mckinsey-on-government/id1573645359"},{"CssClass":"btn btn-fill","LinkType":"external","Target":"","Text":"Spotify","Title":"","Url":"https://open.spotify.com/show/61XsO4B2ersroMft8t3KSq"}]}}},{"mediaID":{"value":"podcast"},"title":{"value":"Want to subscribe to the McKinsey Podcast?\n"},"description":{"value":"\u003cdiv class=\"cta-container -align-horizontal\"\u003e\n \u003ca href=\"#\" class=\"btn btn-fill\"\u003eGoogle Play\u003c/a\u003e\n \u003ca href=\"#\" class=\"btn btn-fill\"\u003eiTunes\u003c/a\u003e\n \u003ca href=\"#\" class=\"btn btn-fill\"\u003eStitcher\u003c/a\u003e\n \u003ca href=\"#\" class=\"btn mck-rss-icon\"\u003eRSS\u003c/a\u003e\n\u003c/div\u003e"},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[]}}},{"mediaID":{"value":"operationspodcast"},"title":{"value":"Subscribe to the \u003cem\u003eMcKinsey Talks Operations\u003c/em\u003e podcast"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"external","Target":"_blank","Text":"Apple Podcasts","Title":"","Url":"https://podcasts.apple.com/us/podcast/mckinsey-talks-operations/id1598128813"},{"CssClass":"btn btn-fill","LinkType":"external","Target":"","Text":"Spotify","Title":"","Url":"https://open.spotify.com/show/7LYQS2fxAoBmC3LgFNJbi8"}]}}},{"mediaID":{"value":"energyinsights"},"title":{"value":"Speak to an expert about our upstream capabilities"},"description":{"value":""},"image":{"src":"/~/media/mckinsey/industries/oil and gas/how we help clients/energy insights/newsletter-signup-promo-bar-1536x768.jpg","alt":"EI newsletter sign up"},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"internal","Target":"","Text":"Contact us","Title":"","Url":"/industries/oil-and-gas/how-we-help-clients/energy-solutions/contact-us"}]}}},{"mediaID":{"value":"buildingproductspodcast"},"title":{"value":"Subscribe to the \u003cem\u003eMcKinsey on Building Products\u003c/em\u003e podcast"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"external","Target":"_blank","Text":"Apple Podcasts","Title":"","Url":"https://podcasts.apple.com/us/podcast/mckinsey-on-building-product/id1735607317"},{"CssClass":"btn btn-fill","LinkType":"external","Target":"_blank","Text":"Spotify","Title":"","Url":"https://open.spotify.com/show/79pncGJtBtzz7pFoR6OiH8"},{"CssClass":"","LinkType":"internal","Target":"","Text":"Listen to previous episodes","Title":"","Url":"/capabilities/people-and-organizational-performance/how-we-help-clients/mckinsey-academy/product-academy/mckinsey-on-building-product"}]}}},{"mediaID":{"value":"talentpodcast"},"title":{"value":"Subscribe to the \u003cem\u003eMcKinsey Talks Talent\u003c/em\u003e podcast"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"external","Target":"_blank","Text":"Apple Podcasts","Title":"","Url":"https://podcasts.apple.com/us/podcast/mckinsey-talks-talent/id1491112396"},{"CssClass":"btn btn-fill","LinkType":"external","Target":"","Text":"Spotify","Title":"","Url":"https://open.spotify.com/show/5sW4eHEFMbOvAFJjMfN9a6"}]}}},{"mediaID":{"value":"outlook"},"title":{"value":"A longer, more comprehensive version of our Global Oil Supply \u0026 Demand Outlook is available for purchase upon request.\n"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"internal","Target":"","Text":"Contact us","Title":"","Url":"/industries/oil-and-gas/how-we-help-clients/energy-solutions/contact-us"}]}}},{"mediaID":{"value":"talentpodcast2"},"title":{"value":"\u003cem\u003eMcKinsey Talks Talent\u003c/em\u003e Podcast"},"description":{"value":"Bryan Hancock, Brooke Weddle, and other talent experts help you navigate a fast-changing landscape and prepare for the future of work by making talent a competitive advantage."},"image":{"src":"/~/media/mckinsey/business functions/people and organizational performance/mckinsey talks talent/mck-mtt-disruptor-full-1536x864-smoke-may-2021.jpg","alt":"McKinsey Talks Talent"},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"internal","Target":"","Text":"See more episodes","Title":"","Url":"/capabilities/people-and-organizational-performance/mckinsey-talks-talent-podcast"}]}}},{"mediaID":{"value":"investing"},"title":{"value":"Subscribe to McKinsey on Investing"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"internal","Target":"","Text":"Learn more","Title":"","Url":"/industries/private-capital/our-insights/mckinsey-on-investing-issue-1/contact"}]}}},{"mediaID":{"value":"women matter"},"title":{"value":"Subscribe to McKinsey \u003cem\u003eWomen Matter Canada\u003c/em\u003e"},"description":{"value":"Please subscribe if your organization is interested in learning about participating in future research."},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"internal","Target":"","Text":"Learn more","Title":"","Url":""}]}}},{"mediaID":{"value":"customs"},"title":{"value":"This article was written as part of a larger research effort to identify opportunities for improvement and innovation at customs agencies globally."},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"internal","Target":"","Text":"Learn more","Title":"","Url":"/industries/public-sector/our-insights/contact"}]}}},{"mediaID":{"value":"tech"},"title":{"value":"\u003cspan class=\"disrupt-ab\"\u003eCreating value beyond the hype\u003c/span\u003e"},"description":{"value":"Let\u0026rsquo;s deliver on the promise of technology from strategy to scale."},"image":{"src":"/~/media/mckinsey/business functions/mckinsey digital/how we help clients/2024/never-just-tech_thumb_1536x1536.jpg","alt":"Never just tech"},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"external","Target":"","Text":"Get started","Title":"","Url":"https://www.mckinsey.com/capabilities/mckinsey-digital/how-we-help-clients?cid=njt-ste-crk-mbm-mbm--2403-promo01-njt-bam-web"}]}}},{"mediaID":{"value":"sust"},"title":{"value":"\u003cspan class=\"disrupt-ab\"\u003eMove from plans to progress.\u003c/span\u003e"},"description":{"value":"Sustainability matters. Together we’ll make it real."},"image":{"src":"/~/media/mckinsey/business functions/sustainability/how we help clients/sustainability-campaign_promo-thumb_1536x1536.jpg","alt":"Move from plans to progress."},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"external","Target":"","Text":"Get started","Title":"","Url":"https://www.mckinsey.com/capabilities/sustainability/how-we-help-clients/?cid=susti24-ste-crk-mbm-m01-other-glb-web"}]}}},{"mediaID":{"value":"nwowpodcast"},"title":{"value":"Subscribe to the New World of Work podcast"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"external","Target":"_blank","Text":"Apple Podcasts","Title":"","Url":"https://itunes.apple.com/us/podcast/the-new-world-of-work/id1319502839?mt=2"},{"CssClass":"btn btn-fill","LinkType":"external","Target":"","Text":"Spotify","Title":"","Url":"https://open.spotify.com/show/3S6fHLW6mcbDJDp1wkArKI"}]}}},{"mediaID":{"value":"globalpodcast"},"title":{"value":"Want to subscribe to \u003cem\u003eThe McKinsey Podcast\u003c/em\u003e?"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"external","Target":"_blank","Text":"Apple Podcasts","Title":"","Url":"https://itunes.apple.com/us/podcast/the-mckinsey-podcast/id285260960?mt=2"},{"CssClass":"btn btn-fill","LinkType":"external","Target":"","Text":"Spotify","Title":"","Url":"https://open.spotify.com/show/4dyjRTP9xzEUPgleo6XjXI"},{"CssClass":"btn btn-fill","LinkType":"external","Target":"_blank","Text":"YouTube","Title":"","Url":"https://www.youtube.com/@McKinsey/podcasts"},{"CssClass":"","LinkType":"internal","Target":"","Text":"Listen to previous episodes","Title":"","Url":"/featured-insights/mckinsey-podcast"}]}}},{"mediaID":{"value":"Qaudio"},"title":{"value":"Discover and subscribe to McKinsey Quarterly Audio"},"description":{"value":"\u003cstrong\u003eFive ways to subscribe:\u003c/strong\u003e"},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"external","Target":"_blank","Text":"Apple Podcasts","Title":"","Url":"https://itunes.apple.com/us/podcast/mckinsey-quarterly-audio/id1437925222?mt=2"},{"CssClass":"btn btn-fill","LinkType":"external","Target":"","Text":"Spotify","Title":"","Url":"https://open.spotify.com/show/5mb2zYJnrPcRrML8gx5doD"}]}}},{"mediaID":{"value":"shortlist"},"title":{"value":"Subscribe to the Shortlist"},"description":{"value":"McKinsey\u0026rsquo;s new weekly newsletter, featuring must-read content on a range of topics, every Friday"},"image":{"src":"/~/media/mckinsey/email/shortlist/template/shortlist_promo-interrupter-849120982_1536x1536.jpg","alt":"the Shortlist"},"moreLinks":{"jsonValue":{"value":[{"CssClass":"","LinkType":"internal","Target":"","Text":"Get the Shortlist in your inbox","Title":"","Url":"/user-registration/manage-account/edit-subscriptions"}]}}},{"mediaID":{"value":"retailpodcast"},"title":{"value":"Subscribe to the \u003cem\u003eMcKinsey on Consumer and Retail\u003c/em\u003e podcast"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"external","Target":"_blank","Text":"Apple Podcasts","Title":"","Url":"https://podcasts.apple.com/us/podcast/mckinsey-on-consumer-and-retail/id1526250428"},{"CssClass":"btn btn-fill","LinkType":"external","Target":"_blank","Text":"Spotify","Title":"","Url":"https://open.spotify.com/show/41D4bro8PPDOGhEgOEJyHB?si=7l3SeYCZQD-7v3toqd9fHQ"}]}}},{"mediaID":{"value":"insurancepodcast"},"title":{"value":"Want to subscribe to the \u003cem\u003eMcKinsey on Insurance\u003c/em\u003e podcast?"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"external","Target":"_blank","Text":"Apple Podcasts","Title":"","Url":"https://podcasts.apple.com/us/podcast/mckinsey-on-insurance/id1533196359"},{"CssClass":"btn btn-fill","LinkType":"external","Target":"_blank","Text":"Spotify","Title":"","Url":"https://open.spotify.com/show/5gZ6YKF7n7C9zWaER4mFZ5"}]}}},{"mediaID":{"value":"strategypodcast"},"title":{"value":"Subscribe to the \u003cem\u003eInside the Strategy Room\u003c/em\u003e podcast"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"external","Target":"_blank","Text":"Apple Podcasts","Title":"","Url":"https://itunes.apple.com/us/podcast/inside-the-strategy-room/id1422814215?mt=2"},{"CssClass":"btn btn-fill","LinkType":"external","Target":"","Text":"Spotify","Title":"","Url":"https://open.spotify.com/show/4TcFfiQ0e6OYuc5kRDLxqj"}]}}},{"mediaID":{"value":"mgipodcast"},"title":{"value":"Subscribe to the \u003cem\u003eForward Thinking\u003c/em\u003e podcast"},"description":{"value":""},"image":{"src":null,"alt":""},"moreLinks":{"jsonValue":{"value":[{"CssClass":"btn btn-fill","LinkType":"external","Target":"_blank","Text":"Apple Podcasts","Title":"","Url":"https://podcasts.apple.com/us/podcast/forward-thinking/id1319502839"},{"CssClass":"btn btn-fill","LinkType":"external","Target":"_blank","Text":"Spotify","Title":"","Url":"https://open.spotify.com/show/3S6fHLW6mcbDJDp1wkArKI?si=0zvPmiCsQ7SBAPanfpY4aA\u0026nd=1"},{"CssClass":"","LinkType":"internal","Target":"","Text":"Listen to previous episodes","Title":"","Url":"/mgi/forward-thinking"}]}}}]},"disruptorsignup":{"results":[{"mediaID":{"value":"full-width"},"renderMode":{"targetItem":{"key":{"value":"fullwidth"},"value":{"value":"Full Width"}}},"callToAction":{"url":"/user-registration/register-mvc","text":"Subscribe"},"title":{"jsonValue":{"value":"Stay current on your favorite topics"}}},{"mediaID":{"value":"left"},"renderMode":{"targetItem":{"key":{"value":"left"},"value":{"value":"Left"}}},"callToAction":{"url":"/user-registration/register-mvc","text":"Subscribe"},"title":{"jsonValue":{"value":"Stay current on your favorite topics"}}}]}},"ceros":{"results":[]},"exhibit":{"results":[{"id":"9DE68EE0D97A4631BDED0A065D4DD18C","displayName":"Exhibit","mediaID":{"value":"1"},"includeTheAccessibilityDisclaimerText":{"boolValue":true},"headline":{"jsonValue":{"value":""}},"hideBottomBorder":{"boolValue":false},"hideEyebrow":{"boolValue":false},"eyebrow":{"jsonValue":{"value":""}},"displayNumber":{"value":""},"description":{"jsonValue":{"value":""}},"desktopImage":{"alt":"The General Data Protection Regulation sets out guiding principles for data protection.","src":"/~/media/mckinsey/business functions/risk/our insights/data privacy what every manager needs to know/svgz_tackling_gdpr_ex1.svgz","description":""},"mobileImage":{"alt":"","src":null},"renderMode":{"targetItem":{"key":{"value":"Medium content column width"},"value":{"value":"medium"}}},"flourishDataVisualizationID":{"value":""},"pNGImage":{"src":"/~/media/mckinsey/business functions/risk/our insights/data privacy what every manager needs to know/png_tackling_gdpr_ex1.png","alt":"The General Data Protection Regulation sets out guiding principles for data protection."},"height":{"value":"1738"},"width":{"value":"1536"},"mobileSVGImage":{"src":null,"alt":""},"mobilePNGImage":{"src":null,"alt":""}}]},"image":{"results":[]},"exhibitcarousel":{"results":[]},"pullquote":{"results":[{"description":{"value":"In order to get GDPR right, in order to get privacy right, you need the entire organization to be moving in the same direction."},"mediaID":{"value":"1"},"renderMode":{"targetItem":{"key":{"value":"center"},"value":{"value":"center-align"}}},"citation":{"value":""},"enableQuotes":{"boolValue":true},"enableSingleQuotes":{"boolValue":false},"CTA":{"url":"","linkType":"internal","text":"","target":"","className":"","queryString":"","anchor":"","targetItem":null}},{"description":{"value":"We’re seeing all kinds of capabilities of AI that can help here, whether it’s, for example, around identifying PII and preparing it and cleansing it through an entity resolution."},"mediaID":{"value":"2"},"renderMode":{"targetItem":{"key":{"value":"center"},"value":{"value":"center-align"}}},"citation":{"value":""},"enableQuotes":{"boolValue":true},"enableSingleQuotes":{"boolValue":false},"CTA":{"url":"","linkType":"internal","text":"","target":"","className":"","queryString":"","anchor":"","targetItem":null}},{"description":{"value":"I do think there needs to be a phase two and a phase three where you go into the backups and the paper files and actually fully extract that person."},"mediaID":{"value":"3"},"renderMode":{"targetItem":{"key":{"value":"center"},"value":{"value":"center-align"}}},"citation":{"value":""},"enableQuotes":{"boolValue":true},"enableSingleQuotes":{"boolValue":false},"CTA":{"url":"","linkType":"internal","text":"","target":"","className":"","queryString":"","anchor":"","targetItem":null}}]},"disruptorsignup":{"results":[{"mediaID":{"value":"full-width"},"renderMode":{"targetItem":{"key":{"value":"fullwidth"},"value":{"value":"Full Width"}}},"callToAction":{"url":"/user-registration/register-mvc","text":"Subscribe"},"title":{"jsonValue":{"value":"Stay current on your favorite topics"}}},{"mediaID":{"value":"left"},"renderMode":{"targetItem":{"key":{"value":"left"},"value":{"value":"Left"}}},"callToAction":{"url":"/user-registration/register-mvc","text":"Subscribe"},"title":{"jsonValue":{"value":"Stay current on your favorite topics"}}}]},"articlesidebar":{"results":[{"mediaID":{"value":"1"},"description":{"jsonValue":{"value":"\u003cp\u003eThe scope of the European Union General Data Protection Regulation (GDPR) is broad, covering personal information that can be linked to an identifiable individual (such as national identification number, employee authentication, payment-transaction history, and date of birth) in any format (structured or unstructured) and in any medium (online, offline, or backup storage).\u003c/p\u003e\n\u003cp\u003eThe regulation is designed to protect the privacy of EU residents by introducing stringent consent requirements, data-subject rights, and obligations on organizations that gather, control, and process data. Its core requirements cover the following:\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eRecord of activities.\u003c/strong\u003e Organizations should maintain a record of data-processing activities and be ready to present it to the regulator at any time.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eLegal basis for data.\u003c/strong\u003e All data processing should have a legal basis, such as the consent of the data subject or the need to fulfill a regulatory or legitimate business purpose.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eRights of data subjects.\u003c/strong\u003e Data subjects are imbued with rights that organizations must honor such as the right to be forgotten (or, more accurately, to data erasure), the right to data portability, the right to object, the right to revoke consent, and the right to restrict processing.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eSecurity.\u003c/strong\u003e Organizations should protect data through a set of controls, such as encryption or \u0026ldquo;pseudonymization,\u0026rdquo; and have effective operational procedures and policies for handling data safely.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eThird-party management.\u003c/strong\u003e Vendors and suppliers, including outsourcing partners, should be required to protect personal data and should be monitored to ensure that they do so.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003ePrivacy by design.\u003c/strong\u003e Data protection should be included in the business-as-usual processes such as with any organization planning a new technology, product, or service from the beginning of the development process.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eBreach notification.\u003c/strong\u003e Data breaches likely to result in high risk to individuals\u0026rsquo; rights and freedoms should be reported to the authorities within 72 hours and subsequently to the data subjects as well in certain cases.\u003c/p\u003e\n\u003cp\u003eThe new regulation is enforced via national supervisory authorities within the European Union that are granted wide-ranging enforcement powers and sanctions, such as the power to ban data processing. The fines for failure to comply are high, as much as 4 percent of annual worldwide revenues. The GDPR also allows individuals to seek civil actions (including class-action lawsuits) against organizations that violate their data-protection rights.\u003c/p\u003e\n\u003cp\u003eWhile GDPR is the most expansive regulation of its kind to date, there has also been movement in other geographies to increase protections around personal data. In the United States, for example, the state of California recently passed the California Consumer Privacy Act of 2018, which holds organizations to similar standards and imbues data subjects with similar rights.\u003c/p\u003e"}},"aboutTheAuthors":{"jsonValue":{"value":""}},"headline":{"jsonValue":{"value":"The GDPR: Key facts"}},"footnotes":{"value":""},"showShareTools":{"boolValue":true},"backgroundColor":{"targetItem":{"key":{"value":"Lightest Grey"},"value":{"value":"lightest-grey"}}},"gradientDirection":{"targetItem":{"key":{"value":"Bottom Right"},"value":{"value":"bottom-right"}}},"renderMode":{"targetItem":{"key":{"value":"Collapsible"},"value":{"value":"default"}}},"isAboutAuthor":{"boolValue":false},"background":{"targetItem":null},"image":{"src":null,"alt":""}}]},"boxout":{"results":[]},"globalsidebar":{"results":[]},"video":{"results":[]},"scrollycontainer":{"results":[]},"bespokeinteractive":{"results":[]},"storycontainer":{"results":[]},"interactive":{"results":[]},"sectionheader":{"results":[]},"statementdisruptor":{"results":[]},"fullbleedphoto":{"results":[]},"tocitem":{"results":[]},"quizcontainer":{"results":[]},"generalup":{"results":[]},"twoupmedium":{"results":[]},"accordion":{"results":[]},"factoid":{"results":[]},"promobarwithquote":{"results":[]},"oneupmedium":{"results":[]},"oneupmediumquote":{"results":[]},"gridwall":{"results":[]},"twoupsmall":{"results":[]},"oneclicksubscribe":{"results":[]},"promobar":{"results":[]},"promobanner":{"results":[]},"sectionhero":{"results":[]},"threeuplinklist":{"results":[]},"table":{"results":[]},"explainertooltip":{"results":[]},"isFiveFiftyHorizontalArticle":{"boolValue":false},"fiveFifty":{"results":[]}},"contextItem":{"ancestors":[{"breadCrumbUrl":{"path":"/capabilities/risk-and-resilience/our-insights"},"breadCrumbTitle":{"value":"Our Insights"},"isMiniSite":{"boolValue":false},"displayName":"Risk \u0026amp; Resilience Insights","template":{"id":"85FF05307883480F9A4C82123F72FFD8"}},{"breadCrumbUrl":{"path":"/capabilities/risk-and-resilience/how-we-help-clients"},"breadCrumbTitle":null,"isMiniSite":{"boolValue":true},"displayName":"Risk \u0026 Resilience","template":{"id":"414C6C64AD35440E9668CF39D8A18CCF"}},{"breadCrumbUrl":{"path":"/capabilities"},"breadCrumbTitle":{"value":"Capabilities"},"isMiniSite":{"boolValue":false},"displayName":"Capabilities","template":{"id":"85FF05307883480F9A4C82123F72FFD8"}},{"breadCrumbUrl":{"path":"/"},"breadCrumbTitle":{"value":""},"isMiniSite":{"boolValue":false},"displayName":"Home","template":{"id":"85FF05307883480F9A4C82123F72FFD8"}}]}}},"placeholders":{"main-area":[],"sidebar-area":[]}}]}},"itemId":"87b03051-0343-469a-bd0b-565cb5be8f3e","pageEditing":false,"site":{"name":"website"},"pageState":"normal","language":"en","pageMetaData":{"alternateLanguages":[{"languageCode":"en","displayName":"English","url":"/capabilities/risk-and-resilience/our-insights/data-privacy-what-every-manager-needs-to-know"}],"currentLanguage":"en","navigationLink":"capabilities","activeItemId":"{3AD2CD7B-AFBF-4D20-8B18-D7D636A6AB49}","miniSiteId":"{7E1123A0-D44E-48D3-8D53-2EE9F8393F0D}","officeCode":"","officeDisplayName":"","subscriptionPracticeData":null,"isAlaisedPage":false,"originalHostName":"www.mckinsey.com","updatedDate":"2023-02-22T15:27:21Z","createdDate":"2018-08-03T17:12:26Z","practice":{"isDefaultPractice":false,"name":"Risk \u0026 Resilience","code":"N11","stickyTitle":"Sign up for emails on new Risk \u0026 Resilience articles","stickySubtitle":"Never miss an insight. We'll email you when new articles are published on this topic.","previewLink":"","previewLinkLabel":"Preview","description":null,"descriptionText":"Get the latest articles on this topic delivered to your inbox","frequency":"Alert","regFormTitle":null},"url":"/capabilities/risk-and-resilience/our-insights/data-privacy-what-every-manager-needs-to-know","isCareersPage":false,"officePath":"","hideAppPromo":false,"isAlumniURL":false,"isAlumniItemAccessable":false,"accessRoles":["sitecore\\GlobalOfficeEditor","Insights\\ClientLink","sitecore\\McKinseyAllAccess","Insights\\InsightsMedia","Offices\\Everyone","Insights\\InsightsAllAccess","extranet\\Everyone","Offices\\AngolaAllAccess","Offices\\SwitzerlandAllAccess","Offices\\KoreaAllAccess","Offices\\PortugalAllAccess","Offices\\DenmarkAllAccess","Offices\\FranceAllAccess","Offices\\UKIrelandAllAccess","Offices\\SouthAfricaAllAccess","Offices\\RussiaAllAccess","Offices\\SpainAllAccess","Offices\\JapanAllAccess","Offices\\NigeriaAllAccess","Offices\\FinlandAllAccess","sitecore\\AboutUsAuthor","sitecore\\ClientLinkAccess","sitecore\\Temp role","Offices\\JPOAuthor","Practices\\RiskAuthor"],"accessUsers":["AlumniCenter\\Alumni","extranet\\Anonymous","AlumniCenter\\FirmmemberAdmin","GSAAuthenticated\\Anonymous","extranet\\authenticated","AlumniCenter\\Firmmember","AlumniCenter\\CorporateRecruiter","sitecore\\MelanieColton","sitecore\\david_gomes","sitecore\\jeffrey_acevedo","sitecore\\justtestuser","Insights\\Amy_Swan","sitecore\\Mohammed_Irshad_K","sitecore\\sujatha_victor","sitecore\\Preethi_Bandi","sitecore\\Santoshini_Allamsetty","Insights\\Vasudha_Gupta","sitecore\\dalexander","sitecore\\lauren_meling","sitecore\\Elissa_Bandler"],"itemInfo":{"id":"87b03051-0343-469a-bd0b-565cb5be8f3e","fullPath":"/sitecore/content/McKinsey/Home/Capabilities/Risk and Resilience/Our Insights/Data privacy What every manager needs to know","templateName":"ArticleJSS","templateID":"683910db-02ba-40ba-92e7-726c880160a9"}},"defaultSettings":{"McKinsey Quarterly":"\u003cem\u003eMcKinsey Quarterly\u003c/em\u003e","FacebookCID":"soc-web","LinkedInCID":"soc-web","TwitterCID":"soc-web","Home Page SEO Details":{"Description":"McKinsey \u0026 Company is the trusted advisor and counselor to many of the world's most influential businesses and institutions.","Image_Url":"/~/media/images/global/seoimageplaceholder.jpg","Image_Alt":""}},"alumniDatalayerChunk":"static/chunks/alumnidatalayer.bea6461bc1a93bf6.js"},"componentProps":{},"notFound":false},"__N_PREVIEW":true,"__N_SSP":true},"page":"/[[...path]]","query":{"timestamp":"1739436595684","path":["capabilities","risk-and-resilience","our-insights","data-privacy-what-every-manager-needs-to-know"]},"buildId":"jIkMSrTx4uqE8V-HInFJO","runtimeConfig":{"CONFIG_ENV":"production","CURRENT_ENV":"production","PUBLIC_URL":"https://www.mckinsey.com","PUBLIC_CMS_URL":"https://cms-prod.mckinsey.com","RECAPTCHA_V3_KEY":"6LdC5twSAAAAAF0dePIbY_ckeF05mKdYYJXn7uTg","INVISIBLE_RECAPTCHA_KEY":"6LcWCs0UAAAAAEik2NaGkfGH8mGHo1ThxIt-qUoE","USER_SERVICE_API_HOST":"https://prd-api.mckinsey.com","MOBILE_SERVICES_HOST":"https://mobileservices.mckinsey.com","SEARCH_SERVICE_API_HOST":"https://mckapi.mckinsey.com","OT_DATA_DOMAIN_SCRIPT_COM":"915b5091-0d7e-44d2-a8c4-cf08267e52fe","OT_DATA_DOMAIN_SCRIPT_DE":"13f50396-9d33-4d95-ba3e-1f108fa91009","OT_DATA_DOMAIN_SCRIPT_BR":"679eae24-1d5c-4f33-8aae-b35aa8269966","ADOBE_LAUNCH":"a400cfbb2fd3","BCOV_POLICY":"BCpkADawqM3Kw-9uDslNJRKDKV902YBckQibdHvtCe7_E1CZUK-yA5lMOb0bP1Jmd13AXAimBAu9t6P25EhnE825MQxq4h4gzCSC4KvcIHFy2o5ay1FC1x7wzMAIhOee5bfcN5IJQx6CACEfqD6MjNGOa4Mh5LH3vPUAJm5oqesmj6CCd1LHOIyuDfTagR09agAhz4Ip_rz_4ksu4nquPxb2t4ZAzriRvCuZcBcGstib_ZFC8TZnALZ4lQDqnXvywA0mvcIcBN5UFD0mi9hLUMuP8-Q6YypPmnQA0WghaliiEvdty3YPyFYgUpQ-JqI7FX5e_lXDFKUsw7NhT6GYeYVdfIvXw_Wzz2bon3xTO_qSpFXjje5vbz7RbLHzLEZV_oaR74diNRT_SSTZbS2LkfGEBAYwNdRdLn5p1FhryNkg5ykrzRa9VhKcPPNuAj0w9Oj5j1Zd84f5_exyF4QM4_5VBu5NQyiUuWzWVPANIDpeFLxzP5psM-76ObRo9FgSmMi85MRqiSJYxfDCNxZCVJVSvlVR-smfLkuAD4Za9B4e57pzXgLwEBNYTIu-hl8C4xkTtIl1H_DxC4-X0iKmqPhFc0-z4UALqgntgcNbp6iutLU-Ue7z0Mr175s7GmZ9rRrqcolGT-4iwlAPcfm_E3ky-PdJZP6peSf_9WY9A0nhxgavAgYCvuFGqh1xUTRmYDNHOfb5xxW8nkFIRU2R9jk6zuRIVIFkOpX2Fp1427ipkVFchRcFu90FwvPYKtByEf7SynOSOrMHgJjkqWUHYvHzTYBmVvExyOlAYAlfovJUueYEjV3WKPsvmMxKHIL4wfxsEjVq5rAkY-qoiG_aA-p-0X2jd6x0nR7Fajn9No0EMN0OPXs3yjdpxC_a37eMC8dS4gIJjYJK5_xz8y5Q2uJUz9dmkqAMGc4CH9eJNDE5rP5kwAmLnHtnA36_kxbHsy6WVBllf4_jE9kQ3L-TfuZLBJtAZOqObTMtpUJYiOIYYkGnQgaiik8wyMvAsfGI3bRVEhkSJ7315aHLMp_K0WuHWW53v-lS4T4J0t8FmPHFCAsUC5LEHB9_cib12s055WPADQ8Q9VIMgzXJu04Eqi-zQHb7H1mmckN7gDXz0IqHAWF35mSwjs20HKG-p10f4Cj68Y_sV7Tdnx05lqmMJTumEPTfYiEwKNKWnUvH6Di2-XDUHZkgT1xUUIVxBIkmQsHRcdnNcxEdh_HTFljfGcdw-34bnVCJlUBklw","sitecoreApiHost":"https://prod.mckinsey.com","FB_APP_ID":"1382278882079245","ARTICLE_API_HOST":"https://prd-api.mckinsey.com","SITECORE_FORMS_SERVICES_API_HOST":"https://prd-api.mckinsey.com","FEATURE_TOGGLES":"{\"stack_adapt_pixel\": false, \"article_seo_schema\":true, \"remember_me\": true, \"gql_promo_banner\": true, \"gql_highlight_bar\": true, \"gql_ceros_placeholder\": true, \"gql_two_up_medium\": true, \"gql_hero_with_partnership_mark\": true, \"gql_brightcove_gallery\": true, \"gql_one_up_medium\": true, \"gql_promo_bar_with_quote\": true, \"gql_fifty_fifty_hero\": true, \"gql_enhanched_hero\": true, \"gql_two_up_small\": true, \"gql_general_up\": true, \"gql_full_bleed_hero\": true, \"passwordless_login_enabled\": true, \"sso_enabled\": true, \"article_id\": \"\", \"personalisation_enabled\":true, \"hide_student_sticky_footer\":true, \"email_domain_validation_enabled\":true, \"enable_cid_cookie_qp\": true, \"otp_verification_enabled\": true, \"article_ratings_enabled\": true, \"article_ratings_enabled_mobile\": true, \"disable_profile_for_alumni\": true, \"firm_sso_enabled\": true}","HEADER_SCRIPT_HASH":"abcd1234","OKTA_AUTH_CLIENT_ID":"0oa8ppb3ypQ8uOI8y697","OKTA_AUTH_ISSUER":"https://dotcomidp.mckinsey.com/oauth2/aus2byav0jTElyFDD697/","AUTO_REDIRECTION_DURATION":"5","LINKEDIN_IDP":"0oaecyj1byxnfrfFk697","APPLE_IDP":"0oaeg2lxy6mq4PX5F697","GOOGLE_IDP":"0oaeczfkb03XL3E4O697","FIRM_SSO_IDP":"0oannwofycK193SNs697","ALUMNI_BASE_API_URL":"https://gateway.mckinsey.com/:apiKey/v1","ALUMNI_AUTHENTICATE_API_URL":"https://ac3-okta-auth.mckinsey.com/authenticate","ALUMNI_OKTA_URL":"https://mckinsey.okta.com/app/mckinsey_ac3_1/exk1slverqoqR80wm2p7/sso/saml","ALUMNI_OKTA_ENABLED":"false","GOOGLE_MAP_API_KEY":"AIzaSyDqrGDNMDjy9pXHkMf-_Ut33LoC725GSe4","AWS_GATEWAY":"https://gateway.mckinsey.com","AWS_API_GATEWAY_ID":"283ao0jjs3","AWS_PERSONALIZATION_TRACKING_ID":"0e6bebf6-33df-48c3-a0ab-31dc0a18f583","AWS_PERSONALIZATION_CID":"recommendations-onw-onw-mck-mck-art-2410-v1-user-ext-web","EVENTS_MODULE_CARDS_COUNT":"8","RECOMMENDATIONS_OFFER_ACTIVITY":"Article Recommendations"},"isFallback":false,"dynamicIds":[70281,73769,76731,42354,35278,32991,98391,81732],"gssp":true,"locale":"en","locales":["en","da-DK"],"defaultLocale":"en","isPreview":true,"scriptLoader":[]}</script><script type="text/javascript" src="/WT0M/oqRU/7oA/KD1/Kl_g/i9piXDmbbJDfuV/Yy41AxIr/dmB/4eB1XalcB"></script></body></html>