The countdown clock is running: In less than a year – on May 25, 2018 – the General Data Protection Regulation (GDPR) will take effect. The entire EU is scrambling to meet the new compliance law that will revolutionise the management and protection of customer data. The reasons for this legislation are numerous, but suffice to say that after years of sloppy data management and data breaches due to legacy systems of record and the siloed nature of IT, the bill has now come due. And like it or not, the government is going to hold all organisations accountable: the GDPR will place consequential restrictions on the commercial use of personal data.
So what constitutes personal data? Essentially it’s any information that can identify a person. The boom of electronic data accelerated by greater storage capabilities (cloud) and more channels to acquire and disseminate information (social media) has provided a huge opportunity to engage customers, but with this opportunity comes great risk and responsibility.
There is no doubt the cost of non-compliance will be high, not only to a bank’s or insurance organisations reputation as a result of publicity surrounding security lapses, but also financial damage in terms of customer attrition. First-time offenders can be fined as much as 10 million euros (or 2 percent of global turnover). And from there the penalties increase; organisations can be fined up to 4% of global turnover (or 20M Euros).
As GDPR-related headlines stream across U.S. news sources, you may not realise that these regulations may indeed apply to you and your business. While your company may not be located in the EU, GDPR has far-reaching effects around the globe. “personal data both inside and outside of Europe,” said Stewart Room, cyber security and data protection partner at PricewaterhouseCoopers (PwC).
Basically, if your organisation holds or processes the personal data of EU customers, suppliers or anyone who does business with you (GDPR refers to this broad segment of this population as “data subjects,” but for the purposes of this post, we will refer to them as “customers”), GDPR will affect you.
So what do you need to know? Here are 7 important components and effects of GDPR that you will have to take into account in the future:
- Remember, it’s always polite to ask: Consent
It’s no longer permissible for your organisation to ask for consent by burying it in a bundle of legalese. Request for consent needs be written in simple business language that any customer, supplier or person can understand. Unlike current unsubscribe options, the language should be clear and straightforward for a customer to rescind consent.
What this means: While this consent mandate will reduce your customer churn, you will need to develop new forms, and processes to allow consent; spanning new onboarding documents, agreements, and even marketing communications.
- When data is placed in a compromising position: Breach Notification
If there is a data breach or possibility of a data breach, the data subject (in this case, the customer) must be notified of any risk within 72 hours. This could be considered your highest vulnerability, as agility is typically the Achilles heel for any financial organisation.
What this means: Now it’s time to break down the silos and create cross functional teams that will be able to monitor and rapidly communicate data breaches. Think of this as fire drill exercise; your organisation will need to have processes in place to quickly react and inform customers of potential or reach data breaches.
- Yes, customers can ask: Right to Access
Any customer has the right to obtain information as to how their data is used. And your organisation is obligated to respond to this inquiry, free of charge. Paper based documents, such as claims or new account opening forms will create an impediment to responding to customers. If you have considered technology to capture and extract and store customer documents/data, now would be the time to invest.
What this means: You need to be prepared. So when you receive a phone call or email from a customer, supplier or partner inquiring about how their data will be used, how will you handle this? Which department will field these calls? Customer service? IT?
- What was your name again? Right to be Forgotten
When your customers’ personal data is no longer relevant for its original intent, they can request that you cease dissemination and erase from your systems of record.
What this means: It’s a similar answer to the one above. Who or which department will manage all the customer data and do they have access to remove it once it’s deemed no longer needed? How will it be removed from marketing? Or claims? Or even from your mobile app?
- Data to go: Data Portability
This allows customers to obtain and reuse their personal data for their own purposes and transfer it across different data environments. The goal behind this is to create one set of standards so data can be ported to another system if desired.
What this means: If a customer grants you permission, you can use their information that was once solely held by your competitor.
- Proactive, not passive: Privacy by Design
It begins with the organisation you weren’t even aware of: Twenty-five percent of employees are storing customer data in public without permission. File sharing sites, cloud services, and employees working remotely can make you vulnerable. While many financial service organisations have security processes in place for electronic data, a greater vulnerability exists with a single piece of paper. There are no guidelines for how information on these documents are handled or even stored.
What this means: For banks and insurance organisations this means leveraging technology to secure and update systems of record. And while the thought comes to mind of decade old databases and systems, keep in mind this includes all paper records. How will all those paper based records be handled? How will you be able to capture, extract and safely store that information?
- Help Wanted: Data Protection Officers
For organisations with 250 or more employees, a data protection officer is needed. This individual should be an expert in your data operations and have the ability to operate independently within an organisation. S/he will advise the controller of its GDPR obligations and other data protection laws, so the focus is on GDPR compliance and not security, per se.
While you are working on your plan to implement GDPR, take note of the potential business benefits. These global regulations will encourage customer trust, loyalty and engagement providing the opportunity for you to acquire greater market share.
Stay tuned for part 2: We’ll show you how automation will help you comply with GDPR.