Did we all forget Data Privacy in 2020?

With the dramatic shift from physical to online events, rigorous data privacy seems to have been lost. It certainly falls very short of the requirements of GDPR. GDPR was designed to protect users from having their data misused. It is just as valid today as it was when it was launched in May 2018.  GDPR and recent data breaches put data privacy in the spotlight. Organizations that can demonstrate “privacy by design” will earn trust, confidence and deeper engagement with customers. For many companies GDPR compliance is not a choice. How they choose to turn it to their advantage is.

Refreshing your memory: GDPR

By May 25, 2018, any company doing business with subjects of the European Union must comply with the GDPR’s stringent rules or face fines up to 4% of revenue. Underpinning the regulations is the principle of “Privacy by design” which means compliance cannot be an add-on, but must be baked into the operational DNA of the organization.

GDPR and recent data breaches have put data privacy in the spotlight. Organizations that move fast to demonstrate “privacy by design” will earn trust, confidence and deeper engagement with customers. For many companies GDPR compliance is not a choice. How they choose to turn it to their advantage is.

By May 25, 2018, any company doing business with subjects of the European Union must comply with the GDPR’s stringent rules or face fines up to 4% of revenue. Underpinning the regulations is the principle of “Privacy by design” which means compliance cannot be an add-on, but must be baked into the operational DNA of the organization.

The General Data Protection Regulation (GDPR) is the new data privacy regulation jointly proposed by the European Parliament, the Council of the European Union and European Commission, aiming to “strengthen and unify” data protection laws for individuals within the European Union. GDPR consists of 99 Articles, plus 173 Recitals, which provide explanatory text to aid interpretation of the Articles. The new regulation plans to replace the old Data Protection Directive [95/46/EC], which has been effective from 1995.

GDPR applies to organizations…

• Holding or processing personal data of subjects residing in EU
• Offering goods or services to EU residents
• Monitoring behaviors of EU data subjects

The law applies to any company whose data processing concerns private data of EU data subjects, irrespective of the company’s (processor or controller) location.

The GDPR went into effect in May 2018, but few businesses have responded

• GDPR is real and not going away
• A wide range of stakeholders participate in GDPR compliance
• Privacy by design isn’t a one-off exercise
• Compliance requires understanding and control of data, processes and IT systems
• It is a huge task

There are several myths or misunderstandings around GDPR

• It only affects EU companies: Not true
• It is about securing and encrypting data: Not true
• Companies need to locate their data in the EU: Not true.

The greatest barrier to taking action is that companies believe it that it doesn’t affect them or that they will not be caught and fined. This is missing the point. This should be the catalyst to rethink your customer engagement strategy and build loyalty that is a huge differentiator and competitive advantage.

Think about benefits not fines

Whilst fines of 4% of revenue focuses the mind, there are huge benefits to be gained from transforming the way you handle customer data:

Reputation: Trust can disappear overnight with a data breach or reported misuse of personal information. Complying with GDPR can be used as a competitive differentiator and something to shout about, not just a way of saving you from becoming another data-breach statistic.

Data simplification: You must delete the personal data you don’t need or have permission to hold. You can also only hold personal data you have a valid basis for, and then only for a reasonable period — including all that duplicated data. With less data that is more up-to-date and accurate you will see immediate savings. A survey showed staff spend 18% of time looking for the right information and then confirming that it is correct.

Process improvement: GDPR impacts all customer-facing areas of your business and requires you to have documented and version controlled processes. Documenting processes drives improvements and quick wins. We typically see 25% improvements in productivity, and often more, when using a proven process mapping approach.

4 practical steps

Once you have assessed if you need to comply with GDPR there are 4 steps you need to take.

Job #1 — Revise your agreements: You may need to change your agreements with your customers.

Job #2 — Where is the Personal Data stored: You need to take an inventory of all your internal systems and build a data catalog of each systems down to field level. This is so you can satisfy the 6 GDPR Requests (GDPR Articles 15–22)

Job #3 — Develop & deploy operational processes: There are specific GDPR processes that need to be documented, understood and followed; getting opt-in consent, Subject Matter Access requests, reporting data breaches. But also you need to revisit many marketing and sales processes where you collect prospects, run marketing campaigns, process unsubscribes and touch customers. Once you understand the processes, you can do step 4.

Job #4 — Build data privacy permissions: You need evidence that you can contact your customers / prospects (GDPR articles 5 & 7). There are 6 different reasons under GDPR. It may be because you have a contract with them — “Contract”. It may be because you are in a sales cycle — “Legitimate Interest”. Or it may be because the customer / prospect has given you consent — “Consent”. This opt-in consent should be freely given, specific, informed and unambiguous. There are number of ways this consent is given; exchanging business cards, scanned at an event, subscribed to a newsletter.

Photo by Alexander Sinn on Unsplash