Compliance with GDPR is not enough. We must aim higher

null

With the negative press around complex definitions and hefty fines for non-compliance it’s easy to lose sight of the true purpose of the General Data Protection Regulation (GDPR). Its goals are honourable – to force more accountability onto organisations that use personal data and give control over that data back to the individual owners. 

The GDPR provides a baseline for compliance – the bare minimum any business should be doing to safeguard the extremely valuable personal information it collects and holds. Businesses that choose to go above and beyond its requirements can use the opportunities it brings to gain a competitive advantage through increased consumer trust and loyalty, improved brand perception, greater efficiency in business practices, and more streamlined customer experiences, all ultimately having a beneficial impact on profitability.  

As businesses prepare for the imminent enforcement of the GDPR there are many ways to extend data governance strategies beyond mere compliance and reap the long-term rewards on offer. 

The GDPR states businesses must have a valid lawful basis for processing personal data.  Obtaining the subject’s consent is one of those reasons. That may sound easy but, in reality, it’s much more challenging. 

Under the new regulation consent can’t simply be implied or inferred from a consumer’s actions; they must actively agree to data collection and processing with an affirmative and unambiguous action. When obtaining consent, businesses must clearly explain – in simple language rather than legalese – why data is being collected and what it will be used for, and the explanation must be sufficiently specific and detailed that the individual can make a fully informed decision. It must also be as easy to withdraw consent as it was to provide it in the first place. Some organisations may even be unable to rely on consent under the GDPR, due to their disproportionate level of perceived power, such as employers and public authorities.

While this process may seem onerous, it demonstrates transparency to consumers and shows that their data privacy is being taken seriously. Research from the UK Information Commissioner’s Office (ICO) reveals only 20% of UK consumers currently trust companies to manage their personal data responsibly, with many concerned their information is used in unethical ways. However, businesses can do much to remedy this situation if consent mechanisms are used effectively to clarify data practices.    

Consent requests will strengthen brand image when consumers see companies taking their choices seriously rather than just presenting an intrusive tick box exercise, as the Cookie Law has tended to do. Thoughtfully constructed consent notices can raise consumers’ awareness of how they can benefit from sharing personal information, perhaps through personalised offers or exclusive content. After all, they are just as much of a marketing communication as any other piece of collateral or copy. 

While the consent process may reduce the overall volume of data collected and processed it should increase data quality. According to the RSA Data Privacy & Security survey, 41% of consumers across Western Europe and the US intentionally provide false personal data when registering for products and services online. But if consumers know more about the reasons for data processing and give explicit consent, they are more likely to share accurate information. This is about more than marketing effectiveness: under the GDPR companies are under a stronger obligation to build mechanisms to assure the currency and accuracy of personal data under their control. 

As the ICO explains, “consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build customer trust and engagement, and enhance your reputation.” Although many businesses will be tempted to try and take a simpler path and use an alternative basis, they may be foregoing a golden opportunity to create a “moment of trust” and build stronger relationships with their consumers. 

Taking control of third-party relationships    

As well as considering how companies collect, process, and store personal data internally, the GDPR also compels businesses to take responsibility for how they share data with third parties, including making them liable for those third parties’ non-compliant data practices. When using consent as the legal basis for data collection and processing, companies must list all third-party vendors with whom data could be shared, and for what purpose. They must also allow consumers to give, withhold and withdraw consent on a case-by-case basis.

GDPR, at a minimum, requires businesses to identify the third parties they share data with and ensure contracts with those partners are GDPR compliant. This in itself may be a complex task, as two-thirds of companies in a Crownpeak survey believed there were likely to be unidentified, unmanaged third-party technologies operating on websites under their control.     

But to raise the bar beyond minimal compliance and maximise the GDPR opportunity, companies can go much further and perform a full review of the partners they work with, evaluating the level of data sensitivity involved, justifying the business purpose, and assessing the proportionality of the approach to the goal identified. By eliminating some third-party technologies operating on websites, for instance, organisations can reduce issues such as website latency that can have a detrimental impact on user experience, as well as limiting the risk of data leakage – both a compliance exposure and a competitive risk, given the huge interconnectedness of the ad-tech ecosystem.   

By implementing a full data governance strategy, with robust criteria for approved third-party vendors, businesses can not only comply with the GDPR, but also streamline and safeguard operations, improve efficiency and preserve competitive advantage. In addition, indemnification clauses may be added to third-party contracts, ensuring partners share in the financial risks associated with breaching the regulation and further encouraging them to remain compliant.    

Centralising and streamlining data   

To ensure compliance with the GDPR, all personal data that flows through a business must be identified and accounted for – where it comes from, where and how it is stored, and what it is used for. Businesses need to document data processing practices and ensure these have a legal basis.   

Despite the administrative burden involved, this minimal level of compliance can be achieved without dramatically reforming existing business processes. However, companies can gain far more by leveraging this opportunity to centralise and streamline data management operations. Data within an organisation is often held in silos, either by department or business application, leading not only to dramatically inefficient duplication but also fragmented, or even sometimes contradictory, customer interactions. By rationalising and orchestrating the collection and storage of information, so all data flows operate under a central governing premise, companies can create complete profiles that deliver a far deeper understanding of customers and can provide seamless holistic experiences. This doesn't have to mean pursuing the idea of a central repository containing all information; companies can leverage a wide variety of cataloguing and data mapping solutions to build a better virtual picture of the data they hold and how it is used.

With the GDPR guaranteeing a wide range of individual rights, such as the right to a statement of what data an organisation holds, the right to data portability, the right to be forgotten, the right to rectification and, of course, the right of erasure, businesses have a compelling imperative to establish internal processes to accommodate data requests. Fulfilling these requests will be far quicker and simpler if they invest in streamlining operations so all personal information is centrally tracked. This is now even more important, given the 30-day window of tolerance established by the GDPR. Failure to take these challenges seriously also carries significant non-virtual penalties, with inability to satisfy data subjects’ fundamental access rights incurring the top tier of GDPR financial sanctions. 

As the GDPR’s 25th May deadline approaches, getting a good report card may seem the ultimate goal. However, smarter organisations will see this as a starting point for returning control of personal data to the individual and improving their relationship of trust in the process. To make the most of the opportunities the GDPR brings we must aim much higher than simple compliance. By paying attention to consent mechanisms, taking control of third-party relationships, and regaining control over internal data processes, businesses can gain competitive advantage through increased trust, efficiency, customer satisfaction and loyalty.     

Adrian Newby, CTO at Crownpeak   

Image Credit: Docstockmedia / Shutterstock