Statistically speaking, Friday marks the preferred day in the week for most working people. For most, it’s the final nail in the coffin of the working week, and the first opportunity to let your hair down, relax and perhaps engage in a couple of days of overindulgence. Unless of course this particular Friday is the 25th of May 2018 ...
… does it ring any bells? If not, it should, because it’s a Friday unlike any other in the history of data management, and here’s why. Friday 25th May marks the day on which the GDPR (General Data Protection Regulation) comes into force.
The first Friday on which organizations like yours run the risk of being fined up to 4% of annual turnover. Not exactly small change.
We’ve talked at length about what rules the GDPR comprises and how you can go about mitigating the risk (you can read more here: dealingwithgdpr.stibosystems.com, but ultimately, experience counts, and often it can help to hear from industry experts who are at the forefront of such disruptive change.
And so, we asked one of our own experts on the subject, Ditte Brix Andersen, to provide the answers to four questions that frequently pop up every time she speaks to organizations about this subject.
1. What are the main challenges associated with complying with the GDPR?
In our experience, the biggest challenge to achieving compliance with the GDPR is the basic, but thorough, groundwork that is needed in advance – and this centers around the data clean-up.
To live out the GDPR’s principles, the first thing organizations need to be able to do is locate it, then link, manage, and maintain all the personal data being held - as well as any information that relates to it. This is a challenge that has been consistent with each client we have worked with.
Organizations the processes around this data to run smoothly to exercise new consumer rights such as “The Right to Be Forgotten”, and to inform individuals about what types of data they hold on them and for how long it’s been held, as well as to be able to manage purpose specific consents.
It may sound like a simple task, but for the vast majority of organizations, this represents a significant challenge as they simply do not have the kind of systems and workflows needed to manage compliance.
We know employees spend an incredible amount of time just locating data, as a result, we often hear stories of poor customer experiences because of inadequate data quality caused by information silos and disconnected systems.
Linking those systems, locating and cleansing the data and setting up a data governance framework to keep the data quality high is going to be a major challenge for many organizations.
2. Why do organizations outside of the European Union need to focus on these regulations?
First of all, it’s important that every organization, European or not, understand that they may also fall under the GDPRs requirements - even if they are not located in the European Union. In fact, non-EU companies serving European customers risk being fined or suffer reputational damage in the same way as any EU-located company.
Secondly, several experts predict that is very likely that other regions will follow the EUs lead in the near future and introduce stricter personal data regulations mirroring that of the GDPR. Being GDPR compliant would give these organizations a head start, in addition to all the other benefits that come with an effective data setup. Sound data management makes sense whichever way you come at it.
Thirdly, as the GDPR sets in, it is expected that data protection will present a significant competitive advantage. In today’s globalized market, consumers are more likely to buy from a company that delivers the goods or services they order in time and precisely as requested, and in addition, does its very best to protect your personal data. From a competitive point of view, it will be a strategic advantage for non-EU organizations to follow the steps of EU companies in terms of protecting personal data and offering personal data ‘services’ that match the new rights that comprise the GDPR.
3. What are the strategies that organizations should implement to come into compliance with the GDPR by May of 2018 – and beyond?
First of all, you should not view the GDPR as merely an add-on task – something that the IT department or one GDPR person can resolve. It is a business task, and it should be communicated as such, meaning organization-wide. The goal is to make every single person in the company understand the importance and value of taking proper care of an individual’s personal information, because only with this level of buy-in can you hope to become and remain GDPR compliant.
A simple principle to follow is that you should think about how you can manage and protect personal data when it comes to any business activity. With every new product, marketing initiative, and strategy you need to ask:
- How does this relate to personal data?
- Have we taken the necessary steps to establish the proper processes to protect personal data in each activity?
The bottom line is that data protection needs to be an integral part of day-to-day business.
On a general data management level, we advise all our clients to clean up their customer data by undertaking ‘identity resolution’ - a data management process where an individual is identified from disparate data sets and databases, then merged into one central profile, displaying the most valid and up-to-date profile. This is the first step to manageable data governance.
This data then needs to be linked to different processes, e.g. newsletter subscriptions, online purchase histories, and campaign cookies as per the new consent requirements.
You also need to match and link this with the data categories relevant to them. For example, if an individual has consented to receive a newsletter, you need their name and email address linked to the consent and the customer profile - this will help you document what you use the data for.
Finally, you need to set up a strong data governance framework that clearly defines who has access to what data and who has which responsibilities, and more. (We talk more about these steps in this blog post: Solved! 4 Biggest Personal Data Challenges of the General Data Protection Regulation)
4. Can organizations use the GDPR compliance as a springboard into more effective overall data governance and security practices?
The short answer is: yes! They not only can, they should. Without a doubt, the GDPR represents a unique chance to give your databases and data processes a clean-up to help organize your data more efficiently and set up long-term processes so it delivers the highest possible value. (Learn more about this approach in the blog post: Preparing for GDPR – Burden or Opportunity?)
The GDPR should be viewed as a unique opportunity to turn your customer data, which may be spread around the business in different systems, departments and I hate to say, on an excel in someone’s computer, into revenue generating assets.
And it’s not just customer data that has such potential. You can get tremendous value out of all kinds of data, such as product data, location data and asset data, if you can really get to grips and master it.