Data protection is getting serious this year: when the EU’s General Data Protection Regulation comes into force in May 2018, consumers will be given stronger protection when it comes to the processing of their personal data. However, a recent study stated that only 15% of organisations surveyed will be compliant with the GDPR.
This should be a familiar story by now. The level of preparedness of businesses to comply with the requirements of the new law has been the subject of a wider discussion across Europe, the UK and the US - the markets which will be most directly affected by the GDPR. As we look to the year ahead, though, and examine the landscape around this new legislation, there’s one obvious area of uncharted territory that almost no company or organisation is ready for: the empowered consumer.
GDPR is not only about complying with the new rules designed to give consumers more control, it’s also about adapting to behavioural changes in society at large. As soon as the new reality has had time to sink in, we can expect significant changes in the way consumers react to certain situations in the short term and in their long-term expectations towards the brands they do business with.
For instance, from late Spring, the impact of data breaches is likely to shift dramatically as the considerable powers over personal data granted to 500 million EU citizens will be flexed and felt by organisations globally. In addition to dealing with the consequences of a cyberattack, businesses will also need to deal with a flood of Data Subject Access Requests (DSAR) – and most likely fail to do so in a timely manner. An organisation with millions of customers that is found to have mismanaged personal data could face hundreds of thousands of requests from concerned customers within a few weeks. This poses a major technical challenge to any organisation. The GDPR allows for a 30-day window to reply to DSARs in full. And this is just the start: customer requests may be combined with the right to have personal data available in an electronic format to enable switching providers more easily and, if they so wish, for the data to subsequently be erased.
In fact, many of the principles enshrined in the EU’s legislation have required compliance for many years, and a few notable companies have faced enforcement measures and fines from regulators. Typically, the enforcement action has followed a highly publicised data breach, often affecting millions of customers or citizens. If proof is needed for the behaviour that can be expected from empowered consumers once the law is on their side, look at any of the UK banks that have had to address issues with the miss-selling of Payment Protection Insurance, which has prompted many thousands of data requests each year. The experience has allowed these banks to gain an understanding of how to respond effectively to ongoing customer requests on a large scale. In anticipation of the changes to come, it is certainly true that many large organisations have teams working at full tilt across the entire business, addressing the different requirements and obligations that the new law either establishes or extends from previous data protection legislation. The important question that remains to be answered, however, is whether they’ll be ready for their newly empowered consumers.
What’s really at stake for businesses now is consumer trust; a powerful asset that can decide the continued success (or otherwise) of brands. Boards and executives of companies, having focused years of effort building brand reputation, need to consider how the relationship with customers old and new is set to shift once awareness of an extensive set of rights turns into an expectation; one that is shaped by competitors that were quicker to consider customer data as a shared asset. So far, there has been little recognition of the realities that lie behind lengthy terms and conditions that are rarely read and even less understood: the data produced through the use of apps and the web, combined with the associated metadata, has been willingly shared in a supposed ‘value exchange’ that in reality has only served the immediate needs of users. The recipients of this data have built warehouses to store it, and have gone on to create great lakes of data with business models built around demographics and segmentation to deliver new lines of revenue.
Along with the growing number of apps on everyone’s devices, awareness of the value of the insights provided with each click and tap has increased over time. In the Connected Society, everyone is supporting each other through recommendation engines, letting others know what they like and what other people with similar preferences have liked and bought. With instant visibility of reviews and reputation, consumers are determining rapidly what serves their specific requirements. Behind every choice, every interaction, and every transaction, companies gain a clearer view of likes, dislikes, behaviours and habits - while it is a partial view in some cases, in others it is a much more complete 360’ view of every conceivable interest posted online. As a result, the powerful ‘Market of One’ is born within the Connected Society.
It's true that there is currently a value exchange, however the benefits accrued by companies were far more one sided in 2017. In 2018, the leaders who are defining new business strategies and their fast followers are working to maintain all the value of information gathered through personalised customer experience, just with a new component in their data model - consent. This introduces a clear line of sight between the customer and the company - one that is dynamically controlled by an individual and full of contextual opportunities for a company to invoke greater trust and deeper engagement through an ongoing dialogue about shared data assets.
First movers looking for an advantage must treat Privacy as part of their business strategy - from product inception to customer experience. Beyond compliance, there is additional value to be found here: in the shorter term through customer acquisition, and in the longer term through individuals who choose to trust companies that offer transparency and control over a greater amount of data - data that they in turn are happier to share. These companies are leaning into consent, providing online visibility for customers that extends typical profile management into a data privacy dashboard, stepping up to the specific demands of the GDPR.
Starting this year, legitimate interest in shaping customer expectations means that capturing, managing and storing consent at scale is the preserve of first mover advantage. Customer identity, personal data and their intrinsic relationship with devices, sensors, microservices, connected homes, cars and buildings all demand greater privacy and security. For the industry laggards that play fast and loose with personal data and the interpretation of data protection law, it will now be the empowered consumer in the court of public opinion that wields the power of change.
Nick Caley, Vice President - Financial Services and Regulatory at ForgeRock
Image Credit: Wright Studio / Shutterstock