From GDPR to Customer Trust: Is Your Data Ready to Protect Customer Privacy?
Is it just me, or does there somehow seem to be an eerie correlation between the quickly approaching, May 25thdeadline for compliance with the General Data Protection Regulation (GDPR) and the increasing numbers of reported privacy violations, leaks, complete system failures that are capturing headlines? Coincidence…or not?
All ‘conspiracy theory’ aside, over the last few weeks, we’ve heard about Chief Security Officers, Chief Information Officers, and even CEOs losing their jobs following a data breach that exposed their customer’s sensitive data to external parties. But the repercussions aren’t solely limited to an individual or department. A breach of this magnitude can cost a company not only up to billions of dollars in fines, but also a loss of public trust, brand deterioration and significant loss of business. For example, take the recent Uber incident wherein the claimed ‘digital native’ taxi-alternative company, failed to alert regulators across the world of a mass data breach that potentially put 57 million customers and drivers personal details into the hands of cyber criminals. In UK, the cost for UBER could also be the renewal of its license in the capital with the Transport of London agency—something that will likely have a significant impact on its revenues…
Each day we’re seeing concrete cases illustrating the rising costs of penalties for capturing data without customer consent, or the fact that a loss of control over personal data could have a billion dollar impact on a company’s market valuation.
The impact of GDPR is huge, not only as a regulation that ‘punishes’ companies that fail to comply with severe penalties, but also because data subjects – i.e. any European-based citizen who is an employee, customer, visitor, or user of your company’s products or services—are now understanding their new rights in the digital age and starting to ask the right questions, take the right steps and establishing blocks against companies to protect themselves. At the same time, the voice of non-European citizens is getting louder when it comes to similar privacy rights and issues.
In fact, a recent survey by Pega Systems shows that data subjects (i.e. citizens) may be more prepared for GDPR than the companies with which they do business; i.e. 82% of European consumers plan to exercise their new rights to view, limit, or erase the information businesses collect about them. To same extent that they leveraged their new right to be forgotten in Google since the European courts ordered the company to allow it in May 2014, data subjects are feeling empowered by their new rights, and will undoubtedly be more mindful of the personal data they share with any vendor at any time.
So, what does this mean for IT Leaders? We think there are two main things to consider:
- GDPR is much more than just another compliance regulation. It’s also a customer engagement issue, a call to action for establishing a system of trust when engaging with consumers—your customers—now that digital transformation has turned them into data experts. You’re no longer dealing with a naïve generation of constituents.
- GDPR should be perceived as a data management project. While most companies are still mistakenly asking themselves, “Are we ready for GDPR”, with a focus on the internal processes, policies and organization, what they REALLY should be asking is: “Is our data GDPR-tested, consumer and government approved?”
Benchmarking surveys (like IAPP/Ernst and Young, or Deloitte) are showing that the toughest challenges are related to the second question. Most GDPR initiatives get stuck in paperwork and fail to enable companies to get hands on with the intimate details of protecting the personal data they possess. As a result, topics like consent management, data subject access rights, data portability, or right to be forgotten are not addressed. I would say this is a ‘band aid’ approach to addressing GDPR—it may be a satisfactory first step to show regulatory authorities that work is underway to sufficiently assess the risks and address any and all legal issues. However, this ‘band aid’ approach will fall far short of winning customer trust, which would result in a far more costly business impact that the fines you’ll likely to incur from government entities.
Organizations should rather get hands on with their data and make sure they address the five pillars to get their data ready for GDPR:
- Know their personal data, by continuously maintaining map of the personal data that flows across the organization
- Create data subjects 360° view where they can collect, connect, and protect all the personal information that they intend to maintain
- Protect their data against leakage, misuse, and ensure data is anonymized when processed out of scope of what legitimate interest or consent allows for
- Forster accountability by allowing to delegate accountabilities on personal data to the stakeholders that contribute to related data processing activities.
- Know where the data is and when the data moves across borders, while opening personal data for the right of the data subject. This is crucial to enact the rights to data access, data portability, rectification or the rights to be forgotten.