GDPR compliance - Systems integration is a good place to start

Data protection and privacy has become a topic of global significance, with high profile incidents involving both businesses and governments.  As a result, there is an increasing need for a unified data protection policy.

On 25th May 2018, new rules and legislation concerning the collection, storage and processing of personal information relating to individuals in the European Union (EU), also known as General Data Protection Regulation (GDPR), will come into effect.

The most important change in data privacy regulation in 20 years, the GDPR is a legal framework setting guidelines for the collection and processing of personal information of individuals in the European Union. With GPDR there are specific requirements for transparency of how companies manage their customers’ personal data. In addition to European companies,   American and international companies with an EU customer base must comply. The Brexit vote does not mean UK businesses are exempt from GDPR, and they should prepare accordingly.

Companies who fail to comply, can suffer significant consequences, resulting in up to €20m, or 4 per cent of a company’s annual turnover—which when calculated at the group level for multinationals could add up to huge penalties.

The new GDPR regulations require that all customer data must be time stamped documenting how contacts consented for their personal information to be saved. In addition, organisations must be capable of honouring their customers’ requests to erase their personal data or transfer their data from one system to another including a full audit trail confirming that the transactions were completed.

Companies are also recommended to appoint a designated data controller who is responsible for routinely performing data protection impact assessments and notifying the Information Commissioner of a data breach within 72 hours of being detected.

In short, companies need to ensure a framework is established to monitor, review and asses the data processing procedures with all necessary safeguards.

Finding customer data

The first step for compliance is taking a full inventory of wherever customer data appears in your organisation.  But that isn’t always easy. 

Locating customer data presents several challenges.

In addition to the CRM database, which is the obvious first place to look, the data could also reside in marketing automation, lead management, customer support, financial and field service systems. In addition, personal information can be stored as unstructured data in social media posts, emails, calendars, voice recordings and spreadsheets, and other sources.

Consider also that data can be located across different regions and offices, which may or may not use the same CRM systems. International data transfers will also need to be monitored for organisations where customer data is processed outside of the EU. 

In addition, with the increasingly mobile workforce and the adoption of cloud infrastructures, data can even be found in places that it shouldn’t be, such as in third party cloud services, laptop devices, or even file shares in publicly available parts of a network.

One consideration while taking a full audit of customer data, is identifying customer data that is not useful and should no longer be stored.  There is not point having potentially damaging personal data if it’s not going to be used. 

In short, it’s no small task to try to find every instance of customer data in your network that needs to be protected.

Enforcing GDPR

There are several different tools that can help create an audit trail across the entire customer data ecosystem.  

Integration platforms can provide the glue that’s needed to find and then integrate data from different vendors, locations, and devices. Low-code development environments enable employees who aren’t trained programmers to get involved with this integration process, which is even more essential as increasingly more and more departments and business functions within the organisation are the ones responsible for collecting, consuming, and analysing their data.

In addition to integrating systems to identify each instance of customer data, additional business processes involved with documenting a customer’s complicity with storing their data need to be put in place.

All forms that capture customer data must be integrated fully with the back-end systems to ensure compliance by tracking every instance of where the data is shared and stored. 

The entire process of lead generation also needs to be tracked. For example, contact creation through your CRM system will need to go through an ‘opt-in’ process rather than just be included automatically into marketing contact databases. The same applies for contact information collected at industry events and when you receive contacts from a third party.

These requirements also need to be enforced for channel partners. Does a partner have authority to share contact information with a manufacturer? If yes, the appropriate and proper procedures for opt-in needs to be followed and documented.  

These rules also apply to previous and existing customers. All personal details have to be deleted. You can’t simply mark “do not contact” in your CRM database. The data needs to be erased in all systems where it appears.

It’s important to minimise the customer data that’s collected so you don’t’ have to manage the data later.

You are legally responsible for ensuring that any data you store is accurate and up to date. It is also important to make sure you are not wasting time and money using incorrect data.  To keep your data current, regularly ask customers if their data has changed. You should also encourage employees to also make updates and train them to make sure they make the changes accurately.

The digital economy is built on the collection and exchange of data, including large amounts that consist of personal sensitive data. Moving ahead with innovation requires public confidence in the protection of this information. Complying with GPDR will require a business-led approach that looks at the whole business model and how these requirements come into play. With May right around the corner, it’s never too soon to begin finding all the sources of customer data, wherever that may be and starting your GDPR compliance journey.

Stephan Romeder, Vice President of Global Business Development, Magic Software Enterprises
Image source: Shutterstock/Wright Studio