Preparing for GDPR

Podcast: How Organizations Can Prepare for GDPR

May 25 is a deadline many companies serving the EU are starting to worry about. But according to Tim Walters, Co-founder of the Digital Clarity Group and Principal Analyst and Privacy Lead for The Content Advisory the General Data Protection Regulation (GDPR) was actually adopted into law in 2016. Organizations have had two years to make the required changes, yet it’s only now they are paying attention and trying to figure out the changes they need to make to be compliant.

So what is GDPR exactly, how does it affect organizations, what challenges do they face implementing it and what are key things they need to do? All these questions were answered in a recent podcast we did with Walters: How Organizations Can Prepare for GDPR.

This 38 minute podcast was jam-packed with important information. Here are some of the highlights:

Who Does the GDPR Apply to?

The GDPR does not apply to EU-based companies. It applies to the use of personal data of any resident of the EU by any organization across the globe. It’s location-specific though, so it only applies to people who are living in the EU.

If your company is offering good and services to EU residents or are a company monitoring the behavior of an EU resident then you must comply with the GDPR. Ask yourself these questions:

  • Do you offer an EU shipping option?
  • Do you show purchase prices in Euros or another EEA currency?
  • Is your website localized to EU member state languages?

What is Considered Personal Information?

The GDPR replaced Directive 95 (created in 1995) before the Internet, social platforms and general digitalization of life). As a result, the definition of personal data has been updated to include anything that can identify – directly or indirectly – a natural person. Now, in addition to obvious information like name, address, and other PII, it also includes browser cookies, device ids, and other digital fingerprints. It also looks at how individual pieces of personal data that normally wouldn’t identify a person can be combined to directly identify someone.

Who is Responsible for Compliance?

This one isn’t a clear-cut, one department, answer. It’s an IT issue, it’s a security issue, it’s also a compliance/legal issue. All of these departments have a role to play because the GDPR is forcing a thorough and fundamental change to how an organization processes data. Walters said it is critical to drive awareness of its effect as well as how processes will be initiated going forward.

On a day to day basis though – marketers and customer experience professionals will be affected the most. Data plays a key role in marketing programs today, and marketers, as well as customer support professionals, capture and leverage a lot of personal data that is often used in ways that pose a challenge for the regulation. You see marketers use a lot of tools architected to acquire, aggregate and use a lot of data, often without a person’s consent.

Walters discussed two major components:

  • Article 5 – data processing principles
  • Data Subject Rights

In Article 5, there is the principle of minimalization – organizations have to design and prove they have designed in a way that uses the minimum amount of data. This, said Walters, directly conflicts with how things are done today; which means organizations have to figure out the right balance of information to capture and use to meet their experience and business objectives.

A good point that Walters made is that although we are living in a time of data-driven marketing, most organizations are not that mature in their practices. So it’s not that big of a cultural change to do things differently; it’s more a recognition that certain practices can no longer be pursued. This is an area where consent management needs to evolve greatly and that affects processes and other teams across the organization.

The Data Subject Rights Will Challenge Data Governance

Consumers have a lot of control under the GDPR and they are expressed in the Data Subject Rights:

  • The right to know if you have their personal data
  • The right to see what data you have and request it be updated
  • The right to get a copy of it
  • The right to request you delete it (also called the right to be forgotten) – and prove you removed it
  • The right to data portability – you have to package it up and send it to another party – typically a competitor

Think about those rights and then think about all the places in your organization where you know you store customer information. Now think about all the places where you don’t know customer information is stored. Walters points to the 80% of data that is dark – you don’t know it exists and it may not be used.

This is where your data governance plan is critical. It’s no longer okay to have siloed, fragmented data across the organization. GDPR presents you with an opportunity to get your data house in order.

  1. Get a handle on your personal data collected internally and shared with third parties. Walters said this is a huge data governance exercise – the inventory. This is typically done by IT.
  2. Now you need to do an audit. Marketing will help here. Is it personal data? How are you using it? What value do you get out of it? How much value? Do you want to continue using it? What rights are allocated to it? Did you ask for consent? Now you need to go back and ask for re-consent (or re-permissioning). The same activity will need to happen for customer support/service.

On the positive side, Walters said, you can deal with a haphazard data situation. You have the opportunity to clean out the data you no longer use and figure out what to do with the data that is valuable, including how it’s stored and getting permission to use it.

GDPR and the resulting data governance exercise is an opportunity to improve the customer experience.

Walters close the podcast with two key points:

  • May 25th is not a deadline like y2K was – it’s the starting line to a new era, to a new set of practices around data collection and usage. If you can show you have made an effort and have a plan, you’ll be okay.
  • GDPR presents an opportunity. You have decide how you will adapt to this new business environment; not only adapt, but thrive. Your approach can form a competitive advantage – you become smarter about using data and make a more valuable value proposition to consumers and you will reap the benefits of happier, loyal customers.

Listen to the entire podcast – it’s worth it!