If you haven't heard about the EU's General Data Protection Regulations (GDPR) by now, where have you been? Coming into effect on 25th May, GDPR affects any organisation that holds or processes data on EU citizens and gives significant power back into the hands of the people the data is about - you and me!
GDPR builds on a previous Data Protection Directive but has new powers and real teeth. However, just like when the Data Protection Directive came into force, there is a lot of confusion about what it means and what's required. Too often (and wrongly) that's come to be expressed as 'we can't do that, GDPR prevents us'.
GDPR does place new obligations on organisations and grants new rights to individuals--including the right to be informed, have access, rectification (correct errors), erasure (be forgotten), restrict processing, move their data, object to data being captured / processed, understand how decisions are made using data, and be promptly informed of any data breach.
In particular, GDPR contains provisions relating to the holding and processing of Personally Identifiable Information (PII). The definitions of PII can differ country-to-country, so care must be taken to ensure you understand the scope. For example, the definition of personal data has been expanded and clarified to include IP addresses, cookie identifiers, and GPS locations.
GDPR requires that organisations consider privacy from the ground up. Whilst this is relatively straightforward for new data gathering and processing, it may present some challenges in respect to historic or legacy data--especially when a person exercises their right to be forgotten. Perhaps the biggest potential challenge going forward is in obtaining the required explicit consent (active opt-in). If your organisation is not in compliance or suffers a data breach, the penalties can be crippling: EU20 million or 4 percent of worldwide revenue.
So, no one can afford to ignore the impact of GDPR. It has a broader and deeper scope than the directive it replaces and sanctions designed to enforce compliance with the regulations.
Impact on customer data
It's easy to see why so many organisations, especially those that hold and analyse lots of consumer data, are worried. But there are some steps you can take to remain compliant and still offer personalised services:
- Make sure you really understand GDPR and what it requires. Get expert help if necessary. This is not something you can afford to get wrong.
- Wherever possible, use active opt-in. Give control to consumers.
- Don't gather data that you don't need, especially PII. Think carefully about what data you gather and why. Does it have to be a real name or will an anonymous user ID work just as well?
- Anonymise PII data (e.g. encryption) at the point of collection, or as soon as possible thereafter. Use pseudonymisation techniques, such as tokenisation or hashing to replace PII with unidentifiable alternatives.
- Have a complete and centralised ability to track and monitor your customer data collection, access, and usage. This should be under the remit of the Data Protection Officer (DPO).
- Ensure you have a solid governance framework with proper controls for data onboarding, security, access, PII identification, meta data, etc.
- Develop the capability to get and maintain an overall understanding of your customer data, to pinpoint consent status, addition, erasure, and portability.
A GDPR future
Whilst it will take some time for the 'new normal' to get fully established and the dust to settle, we can already start thinking about what comes next.
Even before well publicised data breaches, and the case of Facebook and Cambridge Analytica, people were becoming more aware of the value of their data and concerned about their privacy. Those concerns have starting to be acted upon with more individuals exercising their opt-out.
This will continue, especially as consumer tools emerge that are designed to engage consumers in managing their data and how companies are using it. Indeed, we fully expect data strategy to increase in importance, but it needn't hamper innovation, especially for those businesses that rely on data to tailor their service.
Considering GDPR, we need to balance privacy and innovation. Too many restrictions (real or imagined) can choke innovation, but lack of ownership and oversight may lead to unexpected identity sell out, with all the legal and reputational fall-out that entails. But it doesn't have be that way. We need to find new methods to respect individual data rights and still lead innovation.
For example, companies can use anonymised data in a more sophisticated and consistent manner, be sure that people know what they are getting in exchange for their data, and create new business models to encourage customers to share data and that allow you to compete on data quality and management.
In fact, an emphasis on data quality and privacy will open new innovation horizons; focusing on data portability, privacy risk management and customer engagement on information.
GDPR is an opportunity to build trust and help your brand stand out. Just like enhanced risk assessment in financial services, it also makes good business sense. Remember, trust is often hard-won and easily lost.
GDPR is an important milestone in our ongoing information evolution. Perhaps, such rigor and focus on privacy and information management will resolve data quality and governance adoption challenges, and transform the enterprise mindset to finally recognise data as an asset once and for all.