Play the long game with GDPR
by Dr. Gero Decker, CEO and founder of Signavio
After more than a decade of speculation and two years of stark warnings, the EU’s General Data Privacy Regulation – commonly known as GDPR – finally came into effect on 25th May. But firms are still grappling to achieve compliance, with 40 per cent of executives still not fully aware of what is expected of them, according to a report by consultancy EY.
Large organisations have already had complaints filed worth €6 billion in fines for holding consumer data after the implementation of the GDPR regulation. Despite months of scaremongering, it is not too late to make sure you’re GDPR compliant, even though the deadline has passed.
When approaching GDPR, some firms are treating the regulation as a last minute check-list, simply ticking off the minimum compliance needed to avoid fines. The problem with this approach is that it lacks sustainability, which is one of the most significant challenges in the post GDPR era we find ourselves in.
Instead, businesses need to be asking how they can keep their heads above water long-term, which requires having a forward-looking approach through collaboration rather than rushing to the finish line.
Rather than viewing GDPR as a hurdle to overcome, businesses need to recognise the opportunities it presents – for instance, it enables firms to find out how data best fits into the customer journey. It’s important to understand where the data sits in your company, how it is used and the controls in place to mitigate the risk of not adhering to regulations.
It’s no secret that data unlocks a wealth of knowledge to companies who are looking to offer a bespoke customer experience. While the concept of ‘B2C’ still exists, there is now ‘B2Me’, which necessitates companies to think about how they can mine the data which give insights to create a truly personalised customer experience.
But under GDPR, customer data must be handled with care and transparency, showing the customer the value of using their data. Customers are more empowered under GDPR, having more control of their data, so it is vital that companies are seen to be using data in a way which benefits the end-customer.
The first step that businesses need to take is to ensure that all customer data is being properly stored, processed and analysed as GDPR requires companies to keep records on where personal data has come from and who it is shared with.
Having a map of the different customer touch points and aligning these with the processes involved in the back-office will give employee visibility to identify if data is sensitive/ personal and if the controls are in place to mitigate the risks involved.
Another important change under the new regulation is to ensure consent is explicit. This enables staff dealing with customer consent to create and streamline these processes based on their own experience, which will aid in increasing transparency and effectiveness.
While ensuring compliance is all well and good, it is only as useful as your ability to prove you are compliant. In the case of regulators requesting access to see how you manage the compliance process, you need to be able to prove that you are acting with due diligence and that all parties involved have broad visibility. If businesses are unable to prove this, they risk incurring fines.
However, the proliferation of data makes it extremely challenging to keep track of the compliance process manually. In order to mitigate this, many organisations are turning to technology to map out processes which provide visibility of where the data is, how it’s being used, and the risks and controls in place.
Automating documentation of the processes significantly reduces the risk of error and the possibility of non-compliant behaviour. In turn, this ensures that the decision-making process is accurately and appropriately tracked and recorded.
Businesses must also be cognisant of risking heavy fines if they do not comply in the event of a personal data breach. Data controllers must notify their relevant supervisory authority within 72 hours, with a failure to notify resulting in fines of up to GDP 10 million.
According to PwC, fines in response to data breaches have dramatically increased by almost £1m in comparison to the previous year, and are expected to rise exponentially now that GDPR has been implemented. In order to avoid the repercussions, a violation response needs to be modelled in advance, with step-by-step guidance for employees to act quickly and aptly.
In order to successfully operate in a post-GDPR world, businesses need to take a holistic approach by bridging the gap between customer experience and operations. Businesses need to align their business operations with the customer journey as they map out existing processes, which in turn allow them to embed regulatory compliance into their systems.