The 25th of May 2018 has come and gone, and the General Data Protection Regulation (GDPR) is now official. In this blog post we'll share a few insights into what you as a business should—and should not—do, in the wake of the GDPR.
The rights associated with the GDPR that individuals can now exercise mean that your business is obligated to provide consumers with certain information. You have to give them information about the period and purpose of their data processing. You also have to perform actions on their behalf if required, such as moving data to other organizations, completing or correcting details on customer profiles, and even deleting contacts. And, all of this must be done free of charge for the individual.
Instead of seeing them as inconvenient duties, view these as services you provide to your customers and prospects—services that, so far, differentiate you from non-GDPR-compliant businesses. And, like any other customer service you provide, do it with a smile.
By now you (hopefully) have the systems and processes in place that are required by the GDPR. But, there’s still a task that awaits most companies: changing how you and everyone in your organization view your personal data. In fact, the “your” in the last sentence is exactly what needs to change. The personal data that the GDPR was set out to protect is no longer yours. It belongs to the related individual. You’re merely borrowing it to deliver a service or a product, and so need to treat it with the respect it deserves. The change management perspective of this thinking should not be underestimated. So, if you haven’t already started internal campaigns around this, start now.
The GDPR needs to be an integral part of how you do business now. With every new project, initiative and system you launch, you need to put on your "data protection glasses" right from the start. Ask yourself:
How are we constantly training our employees to handle personal data?
How do we cope with onboarding personal data into our enterprise systems?
How are we internally communicating the importance of protecting personal data?
How do we cope with personal data in contracts moving forward?
Just because your business is GDPR-compliant does not mean that you can lean back and expect all your data issues to be solved, and the affected data kept safe. Data breaches will continue to happen. New regulations will at some point occur as data usage evolves even further. Consumers will develop new expectations above and beyond the GDPR as soon as the protection level required by the GDPR becomes the norm.
So, you might as well prepare for all these things and be proactive instead of reactive. Make sure you have a clear and relevant data breach communication and action plan ready. Keep on educating yourself on the data protection market evolvement, and make sure investment willingness is in place as this is an area that will only continue to gain more importance.
Although GDPR deadline is past due, far from all companies that need to be are compliant. But, that doesn’t mean they should give up. As we see fines starting to mount, don’t panic; just keep on going and start changing your processes, systems, communication, etc., one step at a time.
The one thing that will put you right in the spotlight of the European Commission is if you fail to deliver on the rights that individuals may exercise towards you. Consumers can formally complain about you if they feel you are failing to protect their personal data. And, if found that you aren’t GDPR-compliant, you risk a fine as big as up to 20 Million Euros or 4% of your annual turnover. So, even if you and your employees are crazy-busy doing other stuff, do not ignore a single personal data request from a consumer. Prioritize the resources it takes to deliver what is asked for, even if it costs you—because, if you don’t, it might end up costing you a lot more.
The consent aspect of the GDPR is probably where most businesses are hesitant, simply because it can potentially cost them a big chunk of their customer and/or prospect database. Legally, you now have to have action-based, purpose-specific consent to collect and process someone’s data, forcing companies to re-ask their entire database for their consent. Not getting it means that they have to erase the related data, scaring many companies away from doing so. But, it shouldn’t. Instead, view it as a way to clean up your contacts and only keep the ones that actually wish to receive marketing and communication from you. Don’t be afraid to delete data from those not interested. If they’re not even interested in receiving relevant emails from you, chances are they’re not going to buy from you anytime soon.
Just because you have changed your business ways in regard to collecting, processing and storing personal data, you shouldn’t change everything else. Don’t stop sharing data with third parties if that has proven a success for you earlier. Just make sure your partners are GDPR-compliant as well. Don’t give up on trying to create personalized customer experiences because there are limitations to the data you can collect. In fact, try harder. Don’t let the GDPR be a barricade for innovation and creative thinking. Think GDPR into your creative processes, and let it be an enabler, not a barrier.