The General Data Protection Regulation (GDPR) is set to even the scales of data protection compliance within EU member countries. This is in response to differing rules around data between these countries, which have led to industry loopholes in data security. But before it comes into effect on 25 May 2018, organisations will have to evolve their data practices to keep in line with the new legislation or face hefty fines.
That said, harmonising compliance is not the only target. The GDPR is also a set of quality control guidelines – advice which, if harnessed properly, will generate valuable connections between companies and their customers.
GDPR means organisations must give control of personal data back to the people. Granted there will still be different shades of compliance, but to meet the spirit of the law, organisations will have to have the following three things in place:
1. A comprehensive understanding of what data they collect and how they use it
If businesses can’t answer those two simple questions – what and how – then they’re certainly in for a shock. Without this knowledge, it’s impossible to determine whether explicit consumer consent is necessary. On the other hand, it’s easy for data protection authorities to see if it is in place, for example by checking marketing touchpoints such as your website.
Consent is a huge part of the GDPR, and an important aspect of the aim is to put consumers back in the driving seat. Those who do not meet the regulations regarding conditions for consent will face heavy penalties.
2. Internal identity management systems or databases that tag and can retrieve specific data upon request
In this regard IT departments are invaluable, as plenty of GDPR obligations can be automated. For example, if a customer pulls out of profiling, tools can be implemented to generate opt-out signals. With GDPR they have the right to decide, and companies must honour the choices that consumers make.
Having greater control over data provides advantages to businesses too. By investigating internal systems, and recognising where middleware can be integrated data becomes a lot more accessible, and therefore useful. Too often data remains unused, unknown, when it could provide the spark of inspiration to set off a truly fantastic campaign. Managing data is paramount: companies could be looking for the missing link, only for it to be right under their noses.
3. External transparency and consent data management tools that will be the communication bridge between the company and consumer
Completing an internal data review will make the path to compliance much smoother, and make it easier to face the next potential hurdle – transparency. Individual rights, as already stated, are high on the GDPR agenda.
With the new regulations in place companies must communicate with consumers clearly. Hiding behind complex phrasing isn’t an option – educating consumers about their new rights, what data is collected, and how it is used is an obligation.
Most organisations should have by now completed their gap analysis that establishes their baseline data practices against the GDPR’s manifold requirements. Processes are being reviewed and changed, often painfully, and 2018 budgets for technology deployment are being prepared. The consulting goldrush, already in full swing, will shortly transition toward critical technologies such as middleware systems and privacy preference tools. That is where the IT department will be more important than ever.
It is also categorically imperative that any automated systems that inventory and categorise data to map it as it is used, work within the parameters of the GDPR’s rules to the data use. Amazing innovation in identity management systems are already available, with more to come, and while we shouldn’t be surprised if the next multi-billion pound company springs from this service, many companies are also considering building their own systems to perform this same meta-function. I caution many of our clients, however, that there is no market panacea and regardless of the internal systems that a business settles upon, its success is wholly dependant on technical resources and the IT team. Deployment is merely the first step, but on-going maintenance of the identity management middleware system is no less critical than that of your servers and databases.
As important as internal automated systems are, compliance with the GDPR mandates transparency about an organisation’s data practices and easy to use tools that empower the consumer to take action to control her own data. The consumer-facing transparency obligation, codified by the GDPR, will prove to be an inadvertent stumbling block unless the IT department gets involved. Deploying easy-to-use technology that effectively communicates your data strategy cannot be driven by the lawyers. That is a sure way to fail. Instead, there is an opportunity to establish bidirectional communication that serves as the consumer’s gateway to your data practices and her new rights under the GDPR that also will create trust and foster goodwill with your customers. This gateway necessarily is technology based.
The penalties are severe, with companies set to loose either up to 4% of their global turnover or €20 million – whichever is the bigger figure. No wonder then that organisations are diligently preparing for May 2018, and it’s essential for IT leaders to make the risks to businesses clear, as well as where the responsibility lies. With consent being such a huge factor, it’s expected that this is where the majority of organisations will trip up.
To prevent mistakes companies must present a united front, so collaboration between teams is essential. Automated transparency and consent processes that work in parallel to databases, triggering responses at the right moment, will make the compliance process seamless.
As a good rule of thumb, whatever mechanism or tools that are ultimately deployed, while technically led by the IT department, must exist to serve humankind. That axiom, if adhered to, will keep organisations out of trouble and will help them in deciding what technologies or tools to use in order to achieve the aim of the GDPR, giving power of personal data back to the people. With that guiding principle in mind, the IT Department will lead the charge for GDPR compliance.
Todd Ruback, Chief Privacy Officer & VP of Legal Affairs at Evidon
Image Credit: Wright Studio / Shutterstock