Almost all organizations (98%) see challenges in complying with the General Data Protection Regulation (GDPR). The biggest challenge is to know when enough has been done to comply. Organizations are looking for clearer guidelines on this.
GDPR, the new European regulation on data protection, really should be on the agenda in every boardroom. At the very least, boards should have heard about it, because it is due to start in May 2018. Research shows that a lot of organizations are discussing GDPR, and struggling with key elements. For instance, what adjustments in data governance are needed to comply? Should a Data Protection Officer be appointed? What opportunities arise from this new regulation? To better understand the current status of companies, SAS investigated the state of GDPR preparedness in organizations, and the biggest perceived challenges and opportunities.
No structured process
We found that almost half of the organizations studied had no structured process in place for becoming GDPR-compliant. There was a significant difference between small companies, where more than half (56 percent) had no structured process in place, and large and very large organizations, where only 44 percent and 21 percent had no structured process. Of those with a structured process in place, 79 percent reported that they had started the process and 66 percent of that group believed they would be compliant by May 2018.
The research also shows that 58 percent of the organizations studied had problems with managing data portability and the so-called ‘right to be forgotten’. Almost half said that it was a challenge to find personal data within their own databases (copied datasets, CRM-data). The GDPR gives every EU citizen the right to know and decide how their personal data is being used, stored, protected, transferred and deleted. Individuals have the right to restrict further processing and to request that all their data be erased. Most companies are struggling with the tools and processes, but many are also finding it hard to interpret GDPR on data portability. Take, for example, a telecom user who has to be able to migrate all personal information, including contact details and photos, to another telecom provider if a consumer demands this. The original provider is obliged to deliver the data in a portable form. The right of data portability will be an enormous challenge for many telecom providers. The same goes for any other organizations, including utilities, retailers, banks and insurance companies.
Since the adoption of GDPR in April 2016, there has been a lot of discussion about the steps that organizations need to take to comply. Almost all organizations (98 percent) see challenges in complying with GDPR. One of the biggest challenges is to find out whether what they are doing is enough to comply (59 percent). Non-EU companies in particular struggle with this, with 71 percent saying it is a problem. Organizations are looking for clearer guidelines on what exactly needs to be done. An easy and efficient way to initiate the right actions is to follow five building blocks proposed by SAS.
Although the stricter rules pose challenges, GDPR can also help organizations. Change is not a bad thing, and 71 percent of the organizations studied confirmed that their data governance would improve as a result of GDPR. 37 percent stated that their general IT capabilities would improve. GDPR gives organizations the opportunity to reassess all their existing data governance policies, for all data and not just personal information. The growing volume of data is likely to be most organizations’ most important asset. With the correct policies in place, companies will be able not only to comply, but also generate competitive advantage. Think of the possibilities of improving analytical processes, optimizing operational efficiency and achieving cost reductions.
Image and customer satisfaction
The survey shows that almost one third of organizations think that their customer satisfaction will improve, and nearly as many (29 percent) think that their organization’s external value proposition will improve. New services and initiatives, such as individual data vaults, will emerge from careful handling of personal data. Organizations will have a holistic view of customer data, and insight into whether and how customers want to receive messages and proposals. They will be able to improve the customer experience and make customer interactions more relevant. Government bodies could also optimize their processes and improve citizen satisfaction by centralizing and securely sharing personal information. Whether you are in the town hall or filing your tax returns, government bodies will know you and respond appropriately.
Can compliance generate competitive advantage?
We hosted a digital discussion Twitter to explore the following topics:
Q1: What do you see as the biggest challenges with the ‘right to be forgotten’?
Q2: How will the lack of structured process to prepare for GDPR challenge companies?
Q3: Realistically, how GDPR-ready will companies be by May 2018?
Q4: Why do you see GDPR as an enabler for improved customer experience #CX?
Q5: Who do you see as stakeholders in GDPR compliance?
You can read the highlights of the discussion as a Storify: Can compliance generate competitive advantage?