The countdown for the European Union General Data Protection Regulation, more commonly known as GDPR, is fast approaching. In less than a year, businesses will be exposed to falling foul of new guidelines and potential fines that could run into the tens of millions.
From next May the GDPR will fundamentally change how businesses use data. But whilst the finishing line is set for compliance, the 25 May 2018 is really just the starting point for forward-thinking enterprises.
With control over personal data a major issue for consumers, organisations should see the GDPR as a catalyst for wider improvement in customer engagement – and brands able to manage that concern will be the ones that turn turmoil into triumph.
With that opportunity in mind, here we look at the implications of the GDPR for business leaders, and how they can leverage the regulations to build trust with consumers.
What is the GDPR and why must it be on your radar?
The GDPR is intended to create a single law on data protection. Not only will it affect businesses located in Europe, but also those with customers, partners or employees in the European Union.
There are no grace periods for the GDPR, which means all organisations must be fully compliant by the 25 May 2018.
Improving the quality and compliance of customer data requires a company-wide approach that starts at the top, with input needed from a multitude of departments. IT professionals have a critical role in compliance, particularly when it comes to sourcing technical solutions to the more challenging aspects of the new regulations.
Cost and risk to your business
Under the current regulations businesses face a relatively modest fine of £500,000 for breaching data laws. As of next May, this will rise to an eye-watering 20 million Euros or 4% of turnover, whichever is greater.
And it’s not just the fines that are getting more severe – one of the key impacts of the GDPR for IT professionals will be the obligation to report personal data breaches within just 72 hours to both the regulator and the customer.
With Cisco’s annual cybersecurity report estimating that today’s average large enterprise can face as many as 70,000 security events per week, this means that the risk of incurring severe penalties is very high if proper measures aren’t put in place.
Implications on customer engagement
Under the GDPR, power will be placed firmly back into the hands of the consumer. For businesses, this means no more pre-ticked boxes, no silence as consent, and no inactivity as consent. But what are the implications of this for companies and their customers?
Active consent: Companies must obtain active consent when collecting personal data, ensuring customers understand how their data being used and how long it will be kept.
Opt-out: Businesses must make it equally easy for customers to withdraw consent. If they choose to opt-out of marketing activities, such activities must stop immediately.
The right to be forgotten: If a customer leaves they can request that all their data is erased – no more retargeting.
Profiling: Customers will also have the right to opt out of automated profiling, and businesses will have to be completely transparent about how their data is being used.
Data portability: If requested, customers must be able to receive a copy of their personal data in a machine-readable format.
In instances of omnichannel communication, adherence to the GDPR becomes more complex. So how can businesses prepare?
Practical measures to prepare for the GDPR
Establish a data compliance programme
Although there are still a number of grey areas, organisations can make enough reasonable assumptions to implement a comprehensive data compliance programme for the GDPR.
1. Create a project team with executive leadership and stakeholder cooperation.
2. Assess areas of risk with a data audit to reveal non-compliant processes.
3. Agree a strategy considering time and resource constraints, focusing on core business functions that will be negatively impacted by the GDPR.
4. Implement changes in a logical manner, applying the same best practice you use to develop new products and services.
5. Establish an effective information governance framework to manage risk.
Map all incoming data flows
As well as being a legal requirement under the GDPR, mapping all incoming data flows is an essential practical step to help businesses identify gaps in current compliance.
From next May, if a customer objects to receiving communication then the organisation must prove that consent was actively given; all personal data must have an audit trail showing time stamps and full details of their opt-in.
By mapping data flows, businesses can see how data is managed and cleansed at all touchpoints, ensuring auditable compliance across all communication channels – this is particularly important to marketing departments.
Appoint a Data Protection Officer (DPO)
Under the GDPR, businesses processing sensitive personal data or regularly monitoring personal information on a large scale are required to appoint a Data Protection Officer (DPO), and organisations without this legal requirement may also want to consider this as best practice.
Bear in mind that a member of the IT team cannot be appointed as DPO and retain their existing responsibilities, as it creates a conflict of interest.
Leverage the GDPR as demonstrable customer commitment
Businesses that look at the GDPR as a burden are missing out on an opportunity to differentiate themselves from others in their space. In its recent State of European Data Privacy survey, Symantec found that only 26% of businesses believe they are ready for the GDPR.
By taking a proactive approach to the regulations, companies can leverage it as a point of difference in how they interact with their customers; control over personal data is a major issue for customers, and establishing a comprehensive data compliance programme signals the importance placed on the security of their data.
With a very real risk of losing 4% of business revenue under the new legislation, there’s a greater case than ever for investing into technology and internal processes to prepare for the GDPR and, perhaps more importantly, beyond.
If you would like to know more about how GDPR will impact your business and how you can prepare for the regulation being enforced, contact IMImobile at firstname.lastname@example.org.