GDPR: how it will be monitored & why it should be seen as an opportunity
The General Data Protection Regulation (GDPR) comes into effect from 25th May 2018 and will affect every business that controls or processes data on residents of Europe (Article 3) – even those whose HQ resides outside the EU.
Penalties for non-compliance under the GDPR are high – businesses can be fined up to 20 million euros or 4% of global annual turnover and that cost is in addition to the financial impact of the breach itself such as brand damage & loss of customer trust. An organisation can also be ordered to cease processing personal data if it fails to comply with data protection laws.
This is common knowledge to all at this stage but there seems to be less of an understanding of the core objectives of GDPR which is causing a focus within organisations on preventing cyber-attacks, which is understandable considering the high profile cases of security breaches in the news of late, however cyber security itself is just one piece of the puzzle toward GDPR compliance.
- At its core, GDPR is designed to provide people (data subjects) with key rights for their data:
- Right to be informed.
- Right of access.
- Right to rectification.
- Right to erasure.
- Right to restrict processing.
- Right to data portability.
- Right to object.
Rights related to automated decision making including profiling.
It is these data subject rights which pose a higher risk for GDPR fines purely because of the sheer number of potential data subjects, which could be any customer, employee, applicant, medical patient, legal client etc… past or present. Initial surveys suggest that a third of people will exercise the right to have their data removed under the new rules – the proportion of people simply requesting their right of access will likely be much higher.
Monitoring GDPR compliance is not just a case of being ready & waiting for Data Protection Impact Assessments (DPIAs) from the supervisory authority in each EU member state – if as an organisation you are unable to facilitate a Data Subject Access Request (DSAR), or fail to process their right to modify or be forgotten, then the data subject themselves are able to report this as a breach of GDPR.
And therein lies one of the biggest challenges in working towards GDPR compliance. How will you locate a subjects data across multiple different systems including but not limited to HR systems, payroll, CRM, marketing databases, relational databases, data warehouses, BI/analytical tools, shopping accounts, loyalty schemes – the list goes on. In the case of retailers, an individual may have multiple accounts across a number of different channels and you need to be able to accurately identify all of them.
Once you have managed to locate all of that data, how will you then compile it together and provide the information to the data subject, and how will you facilitate their right to modify or be forgotten?
And how will you manage that for the hundreds if not thousands of potential data subjects that you hold information on? Will you do this manually for every DSAR? Or will you implement an automated self-service function that utilises your existing systems to reduce the demands on your staff?
The good news, and the reason we at Pitney Bowes see GDPR as an opportunity, is that once you have cracked that challenge you will have a complete, single source of truth, for all of your customers. This will help you to learn more about your customers to know how & when to engage, what their preferences are, create opportunities for greater wallet share, and to increase satisfaction and retention.
Fuelled by the age of experience, being able to build a picture of your customers in this way is critical in this fourth industrial revolution that we are in the midst of, and is one of the driving forces behind great success stories such as Amazon, Walmart, and Pizza Hut who have not just survived in this digital economy, they have thrived.
Aside from being leaders in data quality, customer data management, and customer analytics, Pitney Bowes have a unique capability which stems from our heritage of nearly 100 years in the shipping & postal industry. During that time we not only invented the first commercially viable postage meter, but we also built up a comprehensive database of verified geotagged addresses and the address is the best way to identify an individual because whilst they may have many accounts, pseudonyms, & persona’s, they only have one address.
This article is my interpretation of just one of the areas that affect GDPR compliance and is by no means intended as a single solution, nor is it the expressed views of Pitney Bowes, but hopefully it has given you some food for thought.
Please do reach out HERE if you would like to discuss further.