As we approach the end of a year tarnished by customer data breaches across numerous verticals, consumers have never been more concerned about the use of their personal data. What’s more, consumers are beginning to truly understand the monetary value of their data – particularly those in the millennial demographic. As well as being more selective about who they share their data with, they are increasingly using their personal information to maximise bargaining power and obtain the best deals.
The significance of these trends is brought into sharp focus by the landmark passing of the General Data Protection Regulation (GDPR), which is set to come into force in May 2018. While transparency and accountability are implicitly required in current data laws, the more explicit GDPR will force businesses across all industries to tackle issues of data protection compliance and restoring customer trust over the coming months.
So – during a year that will undoubtedly be dominated by data regulation in the run up to the GDPR taking effect – how will businesses react to the change in legislation? And how can they continue to provide a seamless customer experience alongside their increased responsibilities in data privacy and security?
A Dell survey reveals fewer than one in three companies is prepared for the regulation today and less than half expect to be fully ready by 2018, so getting in shape for the GDPR will be challenging. But with non-compliance resulting in hefty fines of up to €20 million – or four per cent of global annual turnover if that is higher – it is no surprise businesses are taking the GDPR very seriously.
Some companies will descend into panic mode, believing a full rip and replace of their technology stack is necessary before the regulation comes into force, while more enlightened companies will realise that taking control of the data they collect and store is not about where that data is held but how it is actioned. By creating a data hub that bridges multiple data siloes and provides a central point of activation for all data, businesses can make better use of their existing vendor technologies rather than creating a totally new system.
The following five steps will assist business in preparing for the GDPR over the year ahead, using their existing technology stacks:
Step 1: Audit data flows
An audit of existing technology vendors is the first step businesses should take to understand both who has access to the data they hold and where it is going. After identifying the vendors currently operating throughout the data flow – from initial collection to execution – businesses must review their contracts and policies, verify proper contacts, audit their technologies, and validate the access they have – minimising this where possible.
When this process is complete businesses should remove any vendors who are no longer used or who cannot comply with GDPR requirements.
Step 2: Build a data inventory
The second stage in preparing for the GDPR is understanding what types of data are collected, such as customer, campaign, and enterprise data. As part of this process businesses must find out where data is stored and who has access to it, creating a data inventory. They may begin by determining what data is critical to run the business – from both an operational and marketing perspective – and then defining the sensitivity of that data. This process should include first-party data collected and owned by the company, controlled sharing of that first-party data as second-party data, and aggregation and selling of information as third-party data.
Step 3: Develop data usage controls
Once businesses understand the data they hold and what happens to it, they can begin building controls both internally and externally to ensure clear and precise notice of data use. This includes creating data governance policies and tests, and auditing internally to ensure compliance. Updating internal and external communications as well as implementing employee training across the business will assist greatly with this process.
Step 4: Appoint a data panel
To activate data controls and maintain processes, a data governance panel should be formed from across the company, including representatives from the technology, legal, and marketing teams. These representatives can work together to ensure best practises are adhered to when accessing, storing, or transmitting data, while at the same time driving marketing performance and optimal customer experiences.
Step 5: Ensure explicit consent
The GDPR requires businesses to provide clear and accurate notice of data usage and to obtain explicit consent from consumers, meaning they need to opt in to data collection, storage, and activation. Updating privacy policies to explain data usage is the first stage, followed by providing a clear means for opting in or out. Finally, businesses must implement processes that respect the consumer’s right to be forgotten, deleting all data linked to that consumer when asked to do so.
As the GDPR looms large businesses may feel they have a long road ahead before they can fully comply, but the new regulation can be seen as an opportunity as well as a challenge. Consumers frequently view data collection practises with mistrust, feeling they only benefit the business itself, but the new regulation provides companies with the chance to demonstrate the data value exchange through the use of positive, immersive experiences. It will also allow businesses to illustrate how they are addressing privacy concerns which may not in itself be enough to fully engage consumers but can go some way to improving customer loyalty and retention.
Data breaches are unlikely to become a thing of the past, even when the GDPR comes into play in 2018. But as long as businesses take steps to understand and audit their own data processes, as well as those of their vendors, we can look forward to a future where consumers have greater confidence in sharing their valuable personal data with trusted businesses.
Image source: Shutterstock/Carlos Amarillo
Lindsay McEwan, VP & Managing Director EMEA at Tealium