By May 25, 2018 – less than 100 days away – any company doing business with subjects of the European Union must comply with the General Data Protection Regulations (GDPR) stringent rules or face fines up to 4% of revenue. Underpinning the regulations is the principle of “Privacy by design” which means compliance cannot be an add-on, but must be baked into the operational DNA of the organization. It is a process issue as much as a customer data one.
Gartner predicts that by the end of 2018, more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements. A recent survey by PwC revealed that 92% of U.S. multinational companies cite GDPR as their top priority and 9% are expecting to spend over $10m. This is a board level issue.
GDPR and recent data breaches have put data privacy in the spotlight. Organizations that move fast to demonstrate “privacy by design” will earn trust, confidence and deeper engagement with customers. For many companies GDPR compliance is not a choice. How they choose to turn it to their advantage is.
In detail
Background
By May 25, 2018, any company doing business with subjects (leads, customers, employees, suppliers) of the European Union must comply with the GDPR’s stringent rules or face fines up to 4% of revenue. Underpinning the regulations is the principle of “Privacy by design” which means compliance cannot be an add-on, but must be baked into the operational DNA of the organization.
GDPR – what is it?
The General Data Protection Regulation (GDPR) is the new data privacy regulation jointly proposed by the European Parliament, the Council of the European Union and European Commission, aiming to “strengthen and unify” data protection laws for individuals within the European Union. GDPR consists of 99 Articles, plus 173 Recitals, which provide explanatory text to aid interpretation of the Articles. The new regulation plans to replace the old Data Protection Directive [95/46/EC], which has been effective from 1995.
Who is affected by GDPR?
GDPR applies to organizations…
- Holding or processing personal data of subjects residing in EU
- Offering goods or services to EU residents
- Monitoring behaviors of EU data subjects
The law applies to any company whose data processing concerns private data of EU data subjects, irrespective of the company’s (processor or controller) location.
The impact
The GDPR goes into effect in May 2018, but few businesses are ready and realization is setting in that:
- GDPR is real and not going away
- A wide range of stakeholders participate in GDPR compliance
- Privacy by design isn’t a one-off exercise
- Compliance requires understanding and control of data, processes and IT systems
- It is a huge task
A study carried out by Dell in 2016 revealed that over 80% of companies surveyed “know few details or nothing about GDPR,” and 97% had no plan to be ready for GDPR. Awareness is building but there are less than 200 days to go. Gartner predicts that by the end of 2018, more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements. A recent survey by PwC revealed that 92% of U.S. multinational companies cite GDPR as their top priority and 9% are expecting to spend over $10m. This is a board level issue.
There are several myths or misunderstandings around GDPR
- It only affects EU companies: Not true
- It is about securing and encrypting data: Not true
- Companies need to locate their data in the EU: Not true.
The greatest barrier to taking action is that companies believe it that it doesn’t affect them or that they will not be caught and fined. This is missing the point. This should be the catalyst to rethink your customer engagement strategy and build loyalty that is a huge differentiator and competitive advantage.
Benefits not fines
Whilst fines of 4% of revenue focuses the mind, there are huge benefits to be gained from transforming the way you handle customer data:
Reputation: Trust can disappear overnight with a data breach or reported misuse of personal information. Complying with GDPR can be used as a competitive differentiator and something to shout about, not just a way of saving you from becoming another data-breach statistic.
Data simplification: You must delete the personal data you don’t need or have permission to hold. You can also only hold personal data you have a valid basis for, and then only for a reasonable period – including all that duplicated data. With less data that is more up-to-date and accurate you will see immediate savings. A survey showed staff spend 18% of time looking for the right information and then confirming that it is correct.
Process improvement: GDPR impacts all customer-facing areas of your business and requires you to have documented and version controlled processes. Documenting processes drives improvements and quick wins. We typically see 25% improvements in productivity, and often more, when using a proven process mapping approach.
3 practical steps
Once you have assessed if you need to comply with GDPR there are 3 steps you need to take.
Job #1 – Develop & deploy operational processes: There are specific processes that need to be documented, understood and followed; getting opt-in consent, Subject Matter Access requests, reporting data breaches.
Job #2 – Where is the Personal Data stored: You need to take an inventory of all your internal systems and build a data catalog of each systems down to field level.
Job #3 – Get opt-in consent: You need to get opt-in consent from all your customers that is freely given, specific, informed and unambiguous. You should delete all the data unless you can hold it for another legal basis.
The Final Word
GDPR and recent data breaches have put data privacy in the spotlight. Organizations that move fast to demonstrate “privacy by design” will earn trust, confidence and deeper engagement with customers. For many companies GDPR compliance is not a choice. How they choose to turn it to their advantage is.