There’s a little over a month left before May 25th, the date on which businesses that handle personal data of EU citizens will have to comply with the terms of the General Data Protection Regulation (GDPR).
Numerous reports suggest that up to half of businesses are still not ready to comply with GDPR – and are therefore at risk of incurring significant fines, as well as failing to meet customers’ and employees’ new rights to access subject data—and time is running out. .
The GDPR itself is a complex piece of legislation. Thus, if your organization needs to be compliant, there’s no time to waste. So here is a look at some of the common misconceptions that could bring significant financial, customer loyalty and brand equity penalties to your business.
1) Believing GDPR only applies to companies based in the EU.
Any business that supplies products or services in the EU or deals with personal data of EU citizens will be bound by the terms of the EU data protection directive (Yes – including the UK – where Brexit will not come into effect until well after the deadline for GDPR compliance). ExtaCloud CEO Seb Matthews says in this interview that many organizations based outside of the EU are acting like “Ostriches burying their head in the ground and hoping that this regulation doesn’t apply to them.” Not a great business strategy, considering:
- It does apply to them, and
- They face fines of up to 20 million Euros—or 4% of global turnover (whichever is greater)—if they get it wrong.
“Not only is the GDPR compliance deadline quickly approaching, but—along the way—its very existence has raised the awareness level of all citizens in the digital age when it comes to their rights to data privacy,” said Jean-Michel Franco, Senior Product Marketing Director, Talend. “Additionally, as data privacy scandals continue to make headlines, citizens across EMEA, APAC, and NORAM are putting pressure on governments and organizations of all sizes, across all industries, to improve personal data privacy practices and controls.”
2) Failing to understand what personal data you are storing and processing
The EU’s data protection directive – the basis for the GDPR—defines personal data as “any information relating to an identified or identifiable natural person.” This definition is much broader than what we used to consider in the past as Personally Identifiable Information, or PII. In the big data and machine learning age, personal data includes far more than just e-mails, International Bank Account Numbers, phone numbers or customer IDs. This type of data can also include social media details, clickstreams, geo-localization, biometric data, voice recording, customer service logs, etc.
To get an accurate and comprehensive of personal data across an enterprise and reclaim control over this information, it’s wise to implement a data lake where the entire organization can capture and reconcile personal data across systems, map lineage to original and/or related data sources and targets, apply controls and audit trails on top, and share that data internally with appropriate stakeholders, or externally with data subjects.
3) Not knowing where personal data is stored, and/or how to delete its master record upon request
Customer and employee data are usually widely dispersed across an organization, both in the cloud and on-premises, on local file systems or distributed file systems like Hadoop HDFS, as structured or unstructured data, etc. You might not have a 360° view, or even an up-to-date technical index recording of where every data record is kept. GDPR imposes restrictions on the transfer of personal data outside the European Union. Thus, not only do IT leaders need to know where personal data resides because of location regulations, but GDPR also gives EU residents the right to request that their personal information records be deleted for any number of reasons. In the case of such a request, IT leaders need to make sure they can remotely trigger the deletion of personal data, even if it is stored in file systems, proprietary cloud apps, or archive systems where record-level deletion might not be as straightforward.
4) Companies can use data for reasons other than stated when it was collected
One of the principles that will come into effect with GDPR, called data minimization, is that personal data can only be used for the express purposes for which permission has been given by constituents. This means that if you’ve collected data about your customers who have placed complaints to better understand their grievances, you can’t subsequently use that information to offer them special deals or hit them with targeted advertising.
As a result, businesses must take extra measures to ensure they fully and accurately explain what they intend to do with personal data at the time of collection. How wide the scope for interpretation and ambiguity of this aspect of GDPR will of course not be understood for some time. For example, will simply stating that data is being collected “for customer service purposes” cover everything you might need to convey? Possibly, but if not, your company could end up in court and that is an expensive gamble with not only your job, but company money, brand value and reputation as well.
GDPR also forces companies to reassess their applications – new or legacy – through the lens of data privacy. A typical example is a data warehouse, or a data lake. When it contains personal data, many companies are considering anonymizing it with data masking unless they fully understand who can access this data and for what purpose?
5) Companies can bypass checking consent agreements for legacy data
The standards that must be met under GDPR to show that any personal data processing you are doing is in line with the consent granted by the data subjects (people) are high. Most pertinently, consent is not considered to have been given unless it was collected under an “opt-in” framework rather than an “opt-out” one. That is, EU residents must have clearly given consent for their data to be stored and processed, rather than simply failed to have withheld consent.
This applies to all personal data being processed – whether or not it was collected before or after GDPR comes into force. This means that consent agreements must be scrupulously checked wherever possible, and if there is any doubt, err on the side of caution and don’t use it. If you can’t prove to yourself – and as well to the regulator and the data subject referenced by the data you process – that you have permission to use something, then you are at risk.
6) It is just about data protection
A very common misconception—perhaps due to the name of the regulation itself—is that GDPR is just about data protection. One fundamental principle of GDPR is that a company should allow a Data Subject – your customer, prospect or employee – to take control of their data. For example, your organization must respond without delay, and at the latest within one month, to your customers or employee requests for data accessibility, data portability, data rectification, or the right to be forgotten. Many companies such as Apple or Facebook have released or announced a privacy control center where any data subject can see their personal data, specify their consent preference by opting in or out to personalized services, ask to be forgotten, etc. Is your organization ready to deliver this kind of customer service to secure and reinforce your customer and employee relationship while complying with the regulation?
While most citizens see GDPR as a significant progress with regards to human rights, many businesses perceive it as a constraint. But what if they consider that data privacy could give them a competitive edge, allowing them to increase the impact of personalization for their bottom line, backed up with a system of trust that not only complies with the regulation but also encourages customers to share their personal data for better service.