With 14 months to go, if you handle personal data of EU citizens and haven’t started yet, the time to act on ensuring you are ready for the impending General Data Protection Regulation (GDPR) is now.
Even if you have compliance to the current data protection act or other data type regulations, this is different. The obligations of GDPR are far reaching with:
new roles (Data Protection Officer) for accountability and governance
new operational processes (Privacy Impact Assessments, Data Breach Notification) with very short turn-around times and free of charge Subject Access Requests
an overhaul of consent. Unambiguous, an explicit opt-in consent for different processing activities
new and extended rights:
- right to be informed
- right of access
- right to rectification
- right to erasure
- right to restrict processing
- right to data portability
- right to object
- rights related to automated decision making and profiling
- greater control over trans-border data transfers
Even more of an impact is the scale of the potential penalties, set extremely high for non-compliance at €20 million or 4% of annual turnover (whichever is greater).
This is a game changer and not just for the data controller as these fines, as well as the data protection responsibilities, are now also for the data processers too. Increasing the scope of responsibility and penalisation brings a lot more focus on the implications of GDPR to a lot more people.
And just in case you were hoping Brexit would take it all away. It won’t. From a recent article on the ComputerWeekly site, the new information commissioner, Elizabeth Denham, said it was “extremely likely” that the GDPR would be live before the UK left the EU.“ She said all UK companies that wanted to do business in the EU would have to comply with the GDPR.
In addition to this, the information commissioner said the major shift in the law was about giving consumers control over their data, which tied in with building trust and was also a part of the ICO’s philosophy. “In a global economy, we need consistency of law and standards,” she said. “The GDPR is a strong law and, once we are out of Europe, we will still need to be deemed adequate or essentially equivalent. When the UK leaves the EU, which is likely to be 2019 or later, a new data protection law will need to be in force.”
So, it comes as no surprise that for many of our clients, GDPR is a top objective for 2017 and not just for the Chief Marketing Officer and Chief Data Officer but also for the CIO, and definitely for the newly appointed Chief Protection Officer required as part of GDPR. All need to work together to ensure compliance.
The positive is that much of what is required is now understood. The legalese has been translated into something that can be planned and implemented. There is also a recognition that GDPR was always an update to the existing 95/46/EC Directive, and so much of what is required should already be there, but as a first step you’ll need to check your data protection position against the new EU legislation against
- People and Processes
- Data (content)
- Policy and Governance
This gives you a view of your ‘GDPR readiness’ and will help identify the investments you require to obtain demonstrable compliance with GDPR.
To support you in this, there is a lot of good guidance material in existence - the ICO, for example, is a good place to start or if you want experienced support we can help you in this important step, of being ready for GDPR. We’ll do this by performing an assessment of your readiness to comply to GDPR at the policy, procedure, technology and data levels, identifying the gaps, and qualifying and quantifying their impact on you and your customers.
Our second blog in the GDPR series gives assessment examples for the key impacted areas we have identified:
- Ensuring transparency and managing explicit consent
- Complying with enhanced rights for the data subject
- Regulating data and building in Pseudonymisation to enable profiling
- Data protection by design and accountability
- Personal Data Breach Notification and Supervision.
To set expectations, the assessment will identify gaps, not least because GDPR has those additional obligations that will mean you will change what you do and how you do it. So, a business case will be required. This should already be compelling with such large potential fines, but just in case here’s a few additional reasons:
- Better customer data can generate valuable insights into customer behaviour and how to improve customer experience. If done with transparency it should be viewed in a positive light, building trust and advocacy with your customers.
- The opposite of course is true. Any breach needs to be communicated within 72 hours to the supervisory authority (ICO for UK) and if it’s a high-risk subject then notify them directly and as soon as possible. There are significant fines for failing to notify a breach when required to do so, up to €10 million or 2 % of your global turnover.
- A breach can lead to intense press coverage and cause significant reputation damage. There is also the important matter of compensating the subjects themselves when a breach occurs, as well as the impact on share prices and market position.
- Many a campaign or a marketing decision is diluted or prevented due to a lack of clarity on whether the consent has been given or not. GDPR provides the vehicle to tidy up not just the content but the archaic processes surrounding the capture, management and use of customer permissions and preferences.
- Instead, look to embrace new ways of working and address some of that technical legacy, investing in the marketing technology stack, maybe even that Customer Preference Centre you always wanted.
- Your data privacy policies and processes, and T&Cs, probably need to be updated anyway, so this is an opportunity to simplify and make them more consistent.
- You can review the third-party data processor contracts, opening opportunities to renegotiate and get more favourable terms.
- Raises awareness and the profile for your internal data governance programme.
- Cyber-attacks and data breaches are on the rise with major attacks across many industries and geographies. If your data is an asset it needs protecting.
As well as building the business case, the assessment will help you to identify the investments you need to make, be it terms of technology or more importantly the team you need to deliver GDPR compliance. Beyond the Chief Protection Officer, there is the GDPR subject matter expert, the process and technical team(s) tasked with ensuring that data protection is by design and ideally built to make the business more customer centric.
The team should be mainly populated with people who know your processes, your systems, your data and would cover the roles of the solution and data architects, data and security analysts, system and database engineers, ETL developers, and the report writer building the reports showing compliance.
There may be a need to compliment and supplement with external resources and this is where we can also help with our proven experience and expertise in delivering pragmatic and valuable programmes of change for data protection and governance, customer management and decisioning.
Overall, conducting a readiness assessment for GDPR will help you determine the right approach from the start to deliver the transformation that ensures compliance, embeds data privacy and generates additional business benefits.
Head of Data Practice at Comet Global Consulting
James has been a chief data architect at Vodafone, T-Mobile UK (precursor to EE) and more recently with Barclays. Prior to that he gained a good grounding in delivery, with experience at consultancies who, specialised in Business Intelligence, CRM and Decisioning, Information management and governance where he undertook a diverse set of roles ranging from business analysis, project manager, design and development, tester and release manager at varying levels of seniority, working on projects across the globe in multiple industries including Financial Services, Telecommmunications, Utilities, Retail and Public Sector. During his working experience of 17 years, a constant thread has been evident, a focus on Data, big or small, starting with how it is collected, its management, how it is understood and made available, assuring it is fit for purpose and made secure, what can and can’t (or shouldn’t) be done with it, ensuring it drives value for our clients and their customers. It is this focus on the Data space that James brings to Comet GC and will bring to this blog, aiming to share insight and spark debate in current and future trends, innovation of data products, services and practices, how-to guides with lessons learnt, tips and tricks to gain and then maintain stakeholder buy-in through successful delivery of what is of value and is sustainable.