During my college years I was quite the Depeche Mode fan, ‘Violator’ being one of my favourite albums at the time. When Martin Gore wrote “Policy of Truth” I doubt he was thinking of Data Protection, however the song is about trust in a relationship and being open and transparent. Quite apt when I ponder this new era of privacy as, since 25th May, the EU GDPR is now fully enforceable. When it comes to our personal data, at least, we shouldn’t be left feeling violated by the organisations we choose to have personal data relationships with
It is safe to say that GDPR has inspired consumer data best practice across all sectors. It has placed the power firmly back where it belongs, in the hands of the consumer so that when we give our personal data to any organisation we now know it is going to be treated carefully. This is good news for everyone and it has helped to ensure that all parties become better data custodians – carefully handling, collecting, storing, sharing and processing the valuable pieces of data that we choose to share (or else face a very strict and costly punishment).
Now almost one month since the regulation came into force, what must organisations do to ensure they continue to remain better guardians of the personal data they hold, in what seems like a galaxy of data privacy rules and regulations? Here are some of the most prominent areas I still think need some careful consideration:
Ensure consent is effectively managed
I am sure your inbox, like mine, has been flooded with emails from organisations asking your permission to continue receiving their emails. It is critical that those organisations have clear visibility across all their marketing systems as any misalignment could be deemed as non-compliance. Sending out an unsolicited email to someone who has opted out, or worse not even ‘opted-in’ in the first place, could be a trigger for a complaint to a Supervisory Authority like the ICO to investigate. Keeping a strong audit trail of when and how consent was captured as well as tracking Opt-in/Opt-out will help keep organisations on course and avoid any complaints.
Know how to handle data privacy requests – before it becomes an issue
Organisations that fail to adhere to the strict GDPR policies risk facing fines of 4% of global revenue or 20 million euros (whichever is greater). Worse yet, they may even be stopped from processing data altogether. This explains why it is critical that a clear process is in place to ensure any organisation is ready and able to respond to any issue when required. Should a consumer make a data request (40% of consumers are expected to do do), it is essential that all details are shared within the time frame outlined. Locating such potentially vast amounts of data could take a lot of time and resources. Self-service portals that empower individuals to gain access to their own personal data are already being deployed by many to circumnavigate this issue.
Gain a competitive edge
Organisations that operate in a transparent manner and clearly inform how they manage personal information will able to build their customers confidence that sharing their personal data is safe. What’s more organisations that can be open with why they need personal data and what they will do with it will gain their customers trust. Remember that customer is still king and loyalty is built on confidence and trust.
Always always always understand your data relationships
The GDPR is all about getting companies to really understand the data relationships they have, internally and externally. This isn’t just about the name, email address and date of birth of customers, it’s about data that might be held concerning employees banking details, medical records, religious beliefs, political persuasions or even sexual preferences. Companies must ensure they truly understand all of the personal data they have among the many disparate data sources inside and outside of their organisation, and ensuring the correct policies & procedures, training and technology are all in place to protect, manage and monitor that data in accordance to the GDPR.
Don’t be a data hoarder
Under the GDPR it states not to hold data any longer than is necessary. While hoarding data on the off chance you will need it might be tempting the GDPR gives you a chance to reimagine your strategy and processes. Define a data retention policy that covers your data estate and their data flows. Data minimisation and data deletion are good practices to follow, if you don’t really need to use personal data then don’t or at least don’t keep it for any longer than required. You may find it will save a few pennies on storage costs as well.
Strive to build a strong data culture
How well do you truly understand the personal data that sits within your organisation? It is paramount that all staff, from board level to juniors, really understand the implications it has on them. To guarantee this, a strong culture of data education and data literacy needs to be created and driven. And when you consider the fact that roughly 25% of data breaches happen from inside an organisation too, you can see why it has never been more important for businesses to ensure only authorised personnel have access to the mission critical data needed for their role. When it comes to building a strong data culture, it is important to always remember that the date when the GDPR became enforceable (25th May 2018) is very much the start of a long journey ahead, rather than the end point.