The implementation of GDPR has brought a step-change in how companies approach data, but what would you argue is the primary principle of GDPR?
“One key principle GDPR establishes is accountability. It is up to the organisation that needs personal data for purpose, referred to as the data controller under GDPR, to ensure enforcement of the privacy principles not only within its walls but also across suppliers with whom it might share the data and subcontractors that might process data on its behalf, known as the data processor. Cloud providers are perfect examples of data processors that an organisation might deal. GDPR will be a significant change in how organisations approach personal data and their cloud and data management strategy. Early and comprehensive measures to ensure that businesses know what data they have collected from individuals, where it is stored, and what policies their cloud providers have in place to protect and secure it, is imperative for business success in the modern, data-driven future. Therefore, while GDPR is a regulatory framework, it also promotes best practice and drives the kind of data management that enables businesses to provide better services to their customers.
“Furthermore, GDPR is not simply another regulation, but a new human right that empowers and protects the digital citizen. It recognises that all data must be taken care of and looked after responsibly. This makes GDPR much more than a box ticking exercise as it will allow greater control as well as a deeper understanding of one’s own data and how best to protect it. GDPR marks the return of personal data to the hands of the individual – its rightful owner.”
What changes can we expect to notice following the implementation of GDPR?
“Organisations need to crawl their entire data infrastructure to create and maintain a constant accurate map of their data. They need to pay particular attention when it comes to their third-party systems such as CRM, HR, infrastructures or platforms as-a-service or analytics that are based in the cloud. This will be especially important as they would then need to assess the GDPR readiness of their cloud provider as a data processor and make sure their contract includes a data processing agreement. Similarly, data controllers need to ensure that they can erase the data from their cloud providers when they stop using the cloud service. As consumers will be able to request information on, or the deletion of, all the personal data a company has about them, the data controller has to ensure that they can meet this kind of requirement through their cloud provider.
“A more proactive view of GDPR is that companies should demonstrate how they use data to enhance the customer experience rather than be prepared to react to requests regarding personal data. For example, smart energy company, Nest (opens in new tab) uses customer data to offer a range of smart devices that keep the owner informed about energy usage or tracking carbon monoxide levels. Similarly, supermarket chain Tesco (opens in new tab) uses the Internet of Things (IoT) to improve its use of data in order to deal with constantly changing customer buying patterns and to battle growing competition. Organisations are beginning to notice that by utilising data to solve customer needs, it creates a stronger relationship between the consumer and the company. Stationary company, Paperchase (opens in new tab) uses data to better understand customer buying patterns and make better strategic decisions such as, like in the case of Tesco, how to personalise promotions based on consumer spending habits. These are all examples of how an organisation can justify the data they hold by actively using it to improve and personalise their customers’ interactions with the brand. By providing this kind of value, customers are more likely to opt-in as they find a service useful than question why an organisation needs data that they see no benefit of sharing with them.”
The relationship that companies have with their cloud service providers (CSP) are incredibly important. How will GDPR affect the relationship between organisations and CSPs?
“Organisations must take a far more active interest in the physical location of a cloud provider’s datacentres. Under GDPR, there are specific countries outside of the EU, only a few, that are authorised for the storage of EU citizens’ data. If your cloud service provider is storing your information in a datacentre that is outside of these regions, you will need to ensure that there are Binding Corporate Rules in place to keep the data compliant with GDPR. At the same time, this location information will also be essential to remain compliant with any additional local regulations in the industry and other regional territories that the organisation operates in. It will be essential for organisations to work with cloud providers who can provide clear and transparent location information for their data storage, or else introduce unnecessary risk.”
In the last few years, data has been labelled as the world’s most valuable resource. What advice would give you give on how we regulate such commodity?
“Without doubt, data is the world’s most valuable commodity – the rocket fuel that has powered the rise of Internet giants like Facebook, hyperscalers like AWS, and industry disruptors like Uber. To the finance industry, for example, data is a matter of boom or bust, and given the vital role financial services plays in society, consumers and businesses need banks to have data. Understanding its value will enable companies to collect and use data in a means that will benefit both the company and its consumers.
“The availability of the data is fundamental to the personalised services customers expect to receive. Staying with the example of banks, these organisations need personal data to calculate credit ratings, financial health-checks and astute investment decisions on their customers’ behalf. As a rule of thumb, the more information you give your bank, the more personalised the service they can provide. GDPR should be seen as a huge opportunity for the finance industry to re-establish trust with consumers. Understanding where data is and that it is managed correctly is not only fundamental to complying with GDPR, but also to providing the highly personalised and predictive services which the modern customer expects.”
In light of recent discussion regarding data security in the finance industry, how will GDPR affect banks and insurance companies?
“Overall, data protection regulations such as Open Banking, PSD2, and GDPR must be viewed as opportunities for financial services organisations to re-establish trust with consumers, which may have been eroded by high-profile data breaches in 2017. In a way, this brings us back to the basics of what financial services are all about: being a steward of people’s assets. When it comes to customer trust, financial leaders shouldn’t wait on regulators to keep their companies in check.
“Understanding where data is and that it is managed correctly is not only fundamental to regulatory compliance and customer trust, but also to providing the highly personalised and predictive services that customers crave. Therefore, the requirements of regulation are by no means at odds with the strategies of data-driven finance firms, but in actual fact perfectly aligned. In light of, this we should regard GDPR as the means of liberating a plethora of data that can create greater customer service.”
Jean-Michel Franco, Senior Director, Data Governance Solutions at Talend (opens in new tab)
Image Credit: Wright Studio / Shutterstock