A good place to start any discussion about the General Data Protection Regulation (GDPR) is an appreciation of the difference between security and privacy. Both are integral to the legislation. A simple interpretation is that privacy relates to what and why data should be collected and kept in the first place. Security concerns keeping what is stored safe.
Why make this distinction? If you believe the GDPR is just a security issue, then you probably believe there is a technical solution and it falls into the remit of the IT, compliance or security departments. There is no technical solution to the GDPR. One of the biggest challenges it poses to organisations is the breadth of areas it covers, and therefore the number of departments and people potentially affected.
A change in mindset will be needed for many people, as customer data is often viewed as belonging to the business once it has been collected or bought. In a GDPR world, considering themselves as guardians of such data may be more useful. You must keep it safe and secure, but effectively ‘the controller’ is the person whose data you hold. They will have the right to access it, ensure it’s accurate, even erase or move it in an agreed format.
As such, it would seem the way we traditionally view data may have to adjust. For some this is a profound change, for others it is simply good customer service that requires good quality customer data, which must be accurate and fair. It also means you’re not analysing bad, inaccurate data or annoying potential customers with marketing material they don’t want. All of which is actually wasting companies’ money in the short or long term.
There are seven principles incorporated into GDPR.
|1||Processed fairly, lawfully and in a transparent manner||Privacy|
|2||Collected for specific, explicit and legitimate purpose||Privacy|
|3||Adequate, relevant and limited to what is necessary to meet the purpose||Privacy|
|4||Accurate and up-to-date||Privacy|
|5||Must not be kept for longer than necessary||Privacy|
|6||Kept secure to maintain integrity and confidentiality||Security|
|7||Processed by controllers and able to demonstrate compliance||Privacy|
Security is a vital part of the new rules, and concepts such as privacy by design also means security by design. No one can really argue against the above principles – they are all what you would expect to happen to your data when you entrust it to someone else. These principles are effectively the basics of good information governance. They are the minimum of what you should be doing now.
It is, however, reasonable to assume some organisations are not doing it, otherwise no one would be concerned about the impact of the GDPR. Either the attention has gone elsewhere, or the alternative is that organisations don’t really care about their customers’ information.
This is where the opportunities of the GDPR need to be considered. Thinking from a customer experience point of view, you are more likely to retain customers if you have accurate data, which they can access and check, or even erase if they want to. Another opportunity is for businesses to review processes that have often grown organically over many years, and see how information flows through the organisation. It could be a catalyst for efficiency improvements or departments working more closely together. Certainly, marketing and IT may find having to come up with solutions to manage consent and track customer preferences inevitably brings them closer together.
A long-standing gripe from IT departments is the proliferation of shadow IT, especially in areas such as marketing. An ongoing training programme to help educate the whole company about data privacy and security could help manage potential personal data being accessed or stored in ways it should not be.
The European Commission is also aiming to adopt the new ePrivacy Regulation at the same time as the GDPR comes into force in May next year. This would potentially bring ‘over the top’ (OTT) services, cookies and direct marketing through electronic communications into the scope of specific regulations. This reinforces the notion that IT and marketing are going to have to learn more about the work and skills of the other whilst considering the privacy of personal data.
One of the key challenges of the new rules will be providing evidence of common practices and processes. This means, how are you going to track who has given what consent, when, and how and what information they gave at the time. It may be common practice now for marketing to buy in a list of targeted customers. The providence of this information is often not checked and the assumption is made it is from a reliable source. This is already proving inadequate under current legislation, for example when not cross-checked against the telephone preference service.
The extra jurisdictional nature of the GDPR means it would apply to EU citizens no matter where they are located. However, enforcing the rules in some jurisdictions could be a challenge for any data protection authority. Simply ignoring any sanction or failing to cooperate in any investigation would be a difficult challenge to overcome for authorities with little if any local physical presence. Certainly, it is unlikely any 72-hour breach notification would be given in this situation. As a result, any EEA+UK could be seen as having an advantage if customers want the extra reassurance it would bring.
Some of the most complex challenges are those such as complying with the right to erasure. Firstly, you have to know what data you have and where it is, and have the processes in place to do this –not to mention having someone to physically do it if it is not automated; all whilst complying with other regulations, e.g. keeping financial records. It may come to be that very few customers actually invoke the rights such as the one to data portability in the short term. But the costs of meeting even a few requests could be relatively high. Which means the earlier you can build this into your systems and processes, the better.
A vital area not to forget is the data beyond your organisation’s walls, i.e. knowing where data has come from and where it is going. Especially if it involves third parties or subcontractors, or even the cloud-based systems they are using in turn. A pragmatic but well-documented and thought through policy in this area is essential.
The GDPR means digging deep into organisations’ systems and processes, as well as going across departments or divisions. It will raise many questions and challenge leading to a better understanding of information flowing through the organisation. On the whole, this is no bad thing. Trying to amass everything that comes in and keeping it forever is not the best data management strategy. It involves too many costs and risks. Regarding the GDPR as a customer data programme that can potentially add value, instead of a technical security problem, is sensible.