GDPR implementation: some hard questions still remain

1

The implementation of the General Data Protection Regulation (GDPR) is very nearly upon us. The deadline is approaching, and we are very firmly into the transition phase. Should you panic? Definitely not. Instead, you must breathe and prioritise. Ask yourself what areas regulators and consumers are most likely to stumble upon, and address those first.

Alternatively, though, you could change your mindset, and see GDPR as an opportunity. Many companies have been struggling for years to build a comprehensive data governance framework. They now have a real reason to put that project into action, and justify the budgetary spend. By May, you will need to know who owns which data, and this could mean that you discover whole new datasets that can provide new insights.

You could change your mindset, and see GDPR as an opportunity and discover whole new datasets that can provide new insights.

Frequent questions

SAS hosted the Customer Intelligence Connection Circle (CI Connection Circle) in Nice at the end of last year, and GDPR was a hot topic of conversation, raising many questions. It was seen as a real hurdle for anyone dealing with personal information. Overall, there is a great deal of uncertainty about it, starting from the exact legal situation and how specifications will be interpreted. Nobody is sure whether there will be a soft approach at the start, or if the regulators will rush in and create some spectacular precedents.

These external challenges come with other internal issues. The general sense was that organisational leaders often lack any awareness of the urgency of the topic. This is partly because of the lack of clarity about the content and implementation of the regulation. There is also uncertainty about how to handle data, who is responsible for what and how you might clarify data ownership. Many companies and organisations are still uncertain what data they hold, or where it can be found, to say nothing of how it is used, and how it could be deleted. The “right to forget” was certainly causing headaches, and companies were also worried that demands would not just come from the regulators, but also from consumers, who can now approach companies and ask difficult questions. These questions might also be inconvenient, such as: How did you decide not to give me the loan?

Attendees at the event talked about how they could manage all these issues. Thinking about automated processes means taking into account investment (both money and time) that would be required in future and to adapt existing systems. This is important because it is not yet clear how regulators will enforce the directives and how consumers will react. Automated processes may also be necessary to manage data breaches. They may be the only way to quickly determine what needs to happen when someone steals data or an employee loses the password for the database.

It is crucial to remember the intent of the regulation; beyond data collected, GDPR also covers any insights about that customer that is generated. This would apply every time the insights were held in a form that was personally identifiable. Once you can identify an individual, that is personal data, and therefore covered by GDPR provisions.

Set up quickly now

One of the most important measures that companies can take in the short term is to integrate consent forms into their legal systems and processes. Establishing a sound information policy means that customers will be informed about the use of their data, and can give consent for particular uses, which is an important aspect of GDPR. Last but not least, it is important to create reliable documentation so that companies can be informed immediately when customers ask about the use of personal data.

You might be thinking that even if you are not quite ready by May, it is not a disaster. Nobody is going to die, after all. However, the fines are hefty enough to give anyone pause for thought. And many organisations are now moving towards the view that perhaps the fines are not the worst aspect. The potential reputational damage may be more important. Trust, after all, is the currency of the digital world. Lose your customers’ trust, and you may lose your customers too. The time has come to act.

Tags GDPR
Share

About Author

Mike Blanchard

Mike has over 19 years of experience in the CRM, technology and software industry, and for over five years has been responsible for the SAS Customer Intelligence Solution business across UK, Ireland and recently Nordic markets. He regularly meets with senior management in leading business to consumer organisations across financial services, insurance, retail, communication and service industries cementing the value of data driven decisions in multi-channel CRM processes and digital integration.

1 Comment

Leave A Reply

Back to Top