’Tis the season to ensure you have a legal justification for processing – Part 1Published: Monday, 15 January 2018 by Joe Cripps, Product Manager
Now that Christmas is done and dusted, the last of the festive food consumed, the new year has successfully been seen in and the associated hangover has subsided…it’s time to face the cold light of January. Unless you happen to be in the business of selling gym memberships or nicotine patches, it’s safe to say that this is probably not your favourite time of the year! But this year, the party is well and truly over for many thousands, if not millions of businesses around the world, who are having to adopt a new kind of new year’s resolution.
Of course, I’m talking about the General Data Protection Regulation (GDPR) which the EU will start enforcing in just over 4 months. I’m sure this won’t be the first blog you’ve read on the subject and I’m certain it won’t be the last, so I’ll take a different approach. Of course, GDPR is becoming as much of an opportunity for software vendors and consultancies as it is a pain point for data controllers. According to Ernst & Young Fortune 500 companies alone will spend roughly $7.8 billion on compliance.
Multi-billion dollar market opportunities don’t come along every year, so it’s no surprise that every data security vendor under the sun has come forward with a plethora of content outlining the perils of the new world order post-GDPR. Maybe you’ve heeded one of their calls to action already and now your customer data is locked down tighter than a marshmallow in a vice. Congratulations! You’ve got nothing to worry about, there’s no way that any breach is going to occur on your watch? You’re fully compliant… or are you?
Organisations seem to be responding to GDPR by taking steps to ensure that their customer data is not hacked in the way that LinkedIn, Sony and the NHS have been over recent years. Data security is important - attacks are becoming more frequent and sophisticated and, under GDPR, fines for breaches will rise - but this does not address the entire scope of the new legislation. GDPR will provide EU consumers with enhanced rights with regards to their personal data which go beyond ensuring this information is kept securely. I won’t list these rights now (you can read more by clicking here), but under GDPR organisations will need to prove that they have the right to collect and use customer information. In most cases, organisations will need to demonstrate consent from the customer to process and store their personal details or to receive communications from the organisation.
For any organisation with a sophisticated digital marketing operation, this is likely to represent a major undertaking. Not only do you need to audit your entire database to determine which records have opted in to various levels of processing or communications, but you need to obtain consent for any new customer data you collect. Customers must be able to grant or decline consent regardless of the channel they are using and up-to-date consent details for each customer should be held in a centralised location with access to all relevant systems, to ensure than no unauthorised data use takes place.
This probably sounds like an unwelcome challenge, but this legislation will also provide opportunities to organisations who are prepared to embrace change. GDPR has been designed to respond to widespread consumer concerns about how their data is processed, sold to third parties and used in marketing campaigns. Consumers are increasingly sensitive to receiving unsolicited and untargeted communications and are uncomfortable with organisations compiling detailed profiles without their knowledge. They have diminished trust for commercial organisations in general and have become desensitised to marketing campaigns.
However, from May organisations will be forced to move to a consent based data processing model. Until now, companies with large amounts of data who do mass mailings have been able to give progressive organisations who have invested in personalising their marketing a run for their money. GDPR will see scattergun mailings become a thing of the past and organisations will be rewarded for treating their customers as individuals across all digital experiences. GDPR legislation is in fact closely aligned with digital marketing and customer experience best practice, so compliance will not only eliminate the risk of fines, but should lead to organisations developing a stronger relationship with their customer base. Both compliance and developing an optimised data strategy go hand in hand, and require organisations to exert the highest level of control over their customer data, which must be of the highest possible quality.
Next week, I will revisit this topic to offer some practical advice for GDPR best practice. I will also outline the GDPR compliance proposition from Celebrus, which overcomes this challenge through leveraging the new consent management functionality within our real time CDP. Our solution provides complete control and visibility of your data, enabling GDPR compliance by ensuring a legal basis for processing exists for all customer data it transfers to systems of insight and engagement.
LinkedIn: Joe Cripps