“War is 90% information”, said Napoleon Bonaparte. Though the famous French general didn’t live in the information age, he attributed most of his military achievements to having the right information. Today’s business is similar - more and more companies are looking for a competitive advantage in data, more precisely useful data that can be obtained by analytical means.
Companies don’t lack data nowadays, and they’re mostly using them for marketing. This doesn’t just apply to banks, insurance companies or operators. For example, Tatry Mountain Resorts (TMR), which operates mountain resorts and provides tourist services, collects data from turnstiles near surface lifts and cable cars, ski pass retail outlets, water parks, retail stores, restaurants and bars, as well as hotels. It later aggregates the data from production systems and combines them with data from its Gopass loyalty program.
Companies are not only aware of demographic customer data, such as age, sex or address, but also of their past behaviour and individual preferences which may also be collected online. For instance, TMR knows how often an individual customer uses company devices, if he or she is interested just in skiing, visiting water parks, or both, if he or she uses TMR hospitality services or eats and stays somewhere else.
The company tries to segment customers into the best possible detail, analysing and visualising the data to be able to better create and target direct marketing campaigns, but also to create so-called predictive models and to therefore search for correlations and predict future demand for products or services in a certain period of time (for example, how many customers will visit a water park in February).
Many companies want to be able to know what a particular customer is interested in in advance and give him relevant, tailor-made information at the right time. Moreover, it is necessary to identify every person throughout all the channels and have a complete picture of him, gathered through the most detailed data possible.
A new directive on data privacy, known as GDPR, which is coming into effect in less than a year throughout the European Union, might limit companies in their efforts. The Commission wants organisations to only collect customer data that is necessary for the functioning of the particular organisation. In addition, it greatly limits personal data processing and also applies to data that lead to identifying a particular person, such as information about their social or economic situation.
So far, this topic has been regulated by the Slovak privacy act, which was more permissive and didn’t threaten such strict penalties as GDPR. For that reason, many companies didn’t fully respect it. However, breaching the new legislation might lead to astronomical penalties. They may go up to 20 mil. Euro or 4% of a company’s total global revenue, which might be fatal for many companies.
Despite the threat of high penalties, we have to realise that complete readiness for the new legislation is a utopian dream and there is no point in trying to achieve it. Not only is there a very short period of time until the introduction of the law, but the regulation is very demanding from a organisational, processing and technical point of view. No wonder some companies would like to be stamped by some authority saying they comply with the new requirements without having to take care of anything. On the other side of the spectrum are companies whose parent companies request that they be 100% compliant with GDPR, which is practically unattainable.
It is necessary to take a pragmatic stance and follow the proportionality principle stated in the directive from the perspective of financial options, risks or the time the company has to introduce measures. Here are five most important facts that companies need to consider in relation to GDPR to eliminate the greatest risks most effectively.
- Prepare for bureaucracy
Ensure that everything related to data privacy is formalised and described in the best possible manner - similarly to ISO quality standards. In the descriptions you should state what activity the data are used for, on what basis (for example, on the basis of its legal purpose or on the basis of consent from the customer), and how consent is obtained and access to the data controlled.
This does not only apply to the data saved in information systems, but also to lists of names and contacts of customers you want to invite for a seminar or workshop. You should describe what a marketer or some other employee may and may not do with it – while respecting its proper protection. Where he or she can or cannot copy the list, if he or she can print it, and if yes, how he or she has to protect it – by locking it in a drawer, for example. The details should also be covered by processes with clear rules, and the persons responsible for these processes should be trained and comply with the rules.
The descriptions should also contain an assessment of the impact on privacy. And again, this does not only apply to information systems, but also to the existing processes. It will therefore be necessary to assess the impact on privacy for direct and marketing campaigns or for new products and services.
- Think twice about the data you want to collect
Nowadays we seek options for microsegmentation and personal communication, so it is natural to try to get the most data about clients. That’s why we create buzzwords like “big data”. However, GDPR goes against this. It is appropriate to keep track of what information you request from your customers and on what occasion, if you really need to know and if you have a clear business reason for their collection.
When you collect data, don’t keep them longer than necessary and never change the way you use them. In other words, use them only for the purpose you collected them for. Simply put, the safest option would be not to request any data, but such an option is impossible for the majority of companies.
GDPR requires meeting the rules marked as privacy by default and privacy by design. The first one is related to a minimalist approach. If a bank wants to open an account for a client, it needs to know his personal data, but it doesn’t need to know whether he or she smokes, whether he or she is unemployed, what income he or she has or if he or she has an account somewhere else. It should obtain an explicit consent to processing such data or be able to legally demonstrate it needs the data for its own functioning.
While privacy by default is a minimalist approach, privacy by design means all the new systems or databases must perfectly protect access control and meet other strict privacy protection conditions stated in the directive to ensure that only authorised persons can access them, as well to ensure that it is clear and auditable to determine who was working with them and in what way.
- Anonymise or mask data
Data protection related to the GDPR directive doesn’t necessarily mean locking documents in the drawer or storing data on an irrecoverable industry-leading secure server with perfect data management. To protect data from leaking from the network and to protect it from own employees not authorised to access it, it is appropriate to encrypt data or to hide the identity of customers.
You may decide to anonymise data, which will result in no person ever knowing identity of the particular persons. The second possibility is pseudonymisation, which means hiding or replacing a name with a pseudonym. Contrary to anonymisation, pseudonymisation is reversible. This means you can hide identities using pseudonyms, but by using the corresponding key you can match the persons with their original names. Of course, to do so it is necessary to keep the key for re-accessing names – and to protect it accordingly.
- Start to collect new consent from your customers
A precondition for many marketing activities is obtaining consent to personal data processing. Lawyers agree that after the introduction of GDPR a general consent will not suffice, which was the case in the past. Under the new legislation, the consent has to be specific, targeted and delimited by purpose, activity and time.
In each direct campaign, it will be necessary to check if a customer consents to being addressed in the given period of time, in the particular locality, and for the particular products and if he or she didn’t request the disabling of communication through a certain channel. Or whether the contract didn’t expire and he or she didn’t ask for a complete clearing of all data from databases or company information systems.
It is necessary to be careful with such requests, since the complete clearing of data might be restricted for other legal reasons – for example by a law on combatting money laundering.
- Prepare to report every data leakage
The new legislation requires you to continually monitor any personal data breach or leakage and to report such incident within 72 hours not only to the authority responsible for data privacy, but also to the persons concerned. In some of the companies, it might be a responsibility of the DPO – Data Protection Officer. In companies that periodically and systematically collect and process big volumes of personal data, the appointment of this person is required by the directive.
Up until now, companies have not been obliged to acknowledge leakage or other data compromising evens. You should therefore consider introducing technologies for monitoring unusual safety threats related to computer networks, which will enable you to discover breaches of safety and set up processes for their subsequent reaction and correction, including training managers and employees.
The author is a consultant for the software and consultancy company SAS