This week, CNBC hosted a conversation between execs from DuckDuckGo, Facebook, and Mozilla on businesses’ responsibility for the customer data they collect. “I think there was an article of faith maybe ten years ago that all data should be kept because it will ultimately someday be valuable,” Alan Davidson, VP of global policy at Firefox owner Mozilla, said. “And hopefully we are now questioning that and recognizing there’s a cost to keeping data.”

For most business leaders, the backlash against Big Tech feels worlds away from their own operation. But the recent GDPR fines levied against Marriott ($123 million USD) and British Airways ($230 million USD) reinforce that even for those of us that are not at the helm of a tech behemoth, there are substantial consequences for failing to protect the data we use and collect—and by the look of it, regulators are only getting started.

There have already been more GDPR-related fines in the last 10 weeks than in the entire first year GDPR was in effect, and the ICO (the UK’s independent body set up to uphold information rights) recently indicated there are another dozen fines already in their pipeline. Gone are the days where fines and public backlash were reserved for a select few of the world’s largest tech companies.

We have reached an inflection point on how companies can and should think about data.

We have reached an inflection point on how companies can and should think about data. Sitting on hordes of data is no longer as rewarding as sitting on a gold mine—it is also a burden. Data should be thought of as both an asset and liability and only stored and collected when needed. With this in mind, businesses would be wise to reevaluate their data strategies according to the new realities of the data economy and regulatory climate.

Regulators are not the only ones taking notice of businesses’ haphazard data practices. With every new revelation of data breaches and misuse, more customers gravitate towards businesses they can trust.

According to The Harris Poll, Americans ranked data privacy the country’s most pressing social issue. As a result, tech companies saw some of the largest year-over-year drops in brand reputation scores. However, this sentiment isn’t contained to the US. In a 2018 IBM study, 75% of global respondents said they would not buy from a company if they didn’t trust the company’s ability to protect their data.

Customers’ wavering trust makes sense. We use data to decide who gets access to what: potential life partners on dating apps; recommended news articles; the cost of insurance; how police officers treat citizens; a candidate’s fitness for a new job; the ability to secure a loan. Algorithms make critical decisions about our lives; but when they become better known for their bias than for their business value, it can cause irreparable reputational damage—and draw the attention of regulators.

When we ask businesses to leverage data while also taking on the full risks and costs of storage, protection, and compliance, we risk creating barriers to entry that entrench incumbents and stifle competition. What we need are legislative and innovative solutions to help companies balance both the rewards and liabilities of data.

The financial services industry offers glimpses of a promising future. The UK Open Banking project and EU’s Payment Services Directive 2 (PSD2) require banks to give third parties direct access to account information with the account holder’s permission. By opening up access to data, the financial industry has created a multi billion-dollar opportunity and spurred competition across the European fintech landscape. 

We are past the age of data as a zero-cost asset.

In parallel, companies like Stripe are making it easier for small businesses to manage the liability of data. Stripe provides the technical and banking infrastructure for online payments so that businesses no longer need to manage and store that data themselves, nor do they have to bear the full burdens of compliance and security. Other industries can learn from fintech and aspire for similar innovations and competition-friendly data portability laws. For nearly two decades, businesses have adhered to the mantra the more data, the better. But the constant stream of data breaches and data misuse provides a sobering reminder that the burden of more data can no longer be ignored. We are past the age of data as a zero-cost asset. The businesses that can’t keep up with the times risk becoming footnotes in the history of the internet.