7 Steps to a Successful GDPR Strategy

7 steps to a successful GDPR strategy
"If businesses set their strategy correctly, the very same infrastructure that will enable them to comply with the regulation can actually underpin future success to deliver better customer engagements." – Jeff Nicholson

In his previous blog, “GDPR is coming: Are you ready?” Jeff Nicholson, Pega’s VP of CRM product marketing, outlined how the European Union General Data Protection Regulation (GDPR) has real consequences for any company anywhere in the world that possesses and processes data from an EU resident. It’s also a very real customer engagement issue, changing the dynamic between your business and your customers. Pega’s recent survey backs this up.

  • 89% of EU consumers want to see the data that companies have saved about them.
  • 82% of EU consumers plan to exercise their new rights to view, limit, or erase information collected about them.
  • 93% of EU consumers said they would erase their personal data if they weren’t comfortable with how they thought companies used it.
Source: Pega GDPR Survey

Pega surveyed more than 7,000 consumers in seven EU countries to find out how consumers may react to the new regulations, and to help businesses anticipate how customers plan to use their newfound powers come May 2018. Our findings highlight the potential impact to organizations once GDPR regulations go into effect. They also underscore the immediate need to have not only systems of compliance in place, but also customer engagement tools that can understand the context of an interaction and provide transparency to help foster trust with consumers.

According to Jeff, the key changes to data management under GDPR involve obtaining customer consent, complying with erasure/cease processing requests, providing copies of an individual’s personal data, and notifications of data breaches. As a result, you will need to have operational capabilities in place to notify customers, respond to inquiries, and track engagement information. And you’ll need to be able to comply with GDPR’s hard deadlines. If a customer asks about their data, you have one month to reply; for a breach of data, 72 hours. Plus, the penalties are very real for non-compliance.

You need more than just a system to handle GDPR – you need a system to manage the systems that handle GDPR.

GDPR is about a whole a lot more than just consent. It’s about end-to-end orchestration, governance, dynamic processes, auditability, and engagement. It’s about getting your old systems to work with your new systems. And it’s not just a matter of your business’ ability to react to customer requests; you’ll need a host of proactive processes that must span your entire enterprise. This will involve digitizing current manual processes and automating dynamic, complex processes, even across systems that may not have accessible APIs. And transparency and trust are paramount.

Use these 7 steps as a guide to take on GDPR.

Regardless of where you are in your GDPR planning, the following seven steps provide a guide for the core actions and system capabilities essential for organizations to support the new regulations.

Preparing for GDPR: 7 Steps to Success

  1. Document Your Current and Future State – This will allow you to produce the evidence that is required by the regulation, as well as uncover any potential gaps in process and technology.
  2. Establish New Closed-Loop Processes – Any process for consent that involves manual steps will expose the business to a potential risk in compliance. This will require the need for dynamic, closed-loop processes that have the ability to adjust to the nuances of each request.
  3. Connect Disparate Data Sources – You will need to find a way to connect the processes to customer data and systems throughout the enterprise. Importantly, this often includes the need to integrate with dated legacy systems that may not have APIs.
  4. Enact Protections for Customer Data – Safeguards must be put in place to proactively protect personal data. This means considerations for encryption, de-identification, and pseudonymization of data.
  5. Create a System of Notifications – You need to automate communication across all parties, including the data, subject, the controller, processor, and the regulator – with both proactive and reactive processes, including the assembly of dynamic content.
  6. Achieve transparency in automated decisions – You may need to cease opaque analytic processes and replace them with transparent processes that can shed light into the logic used in making the decision.
  7. Maintain Comprehensive Audit Trail – Track all activities, including data capture, the granting of consent, and even the decisions that have been made using that data.

GDPR has far-reaching implications across impacted businesses, from marketing, to service, sales, risk, disputes, and much more. It’s essential that multinational organizations takes steps now to ensure their systems are in place, functioning, and compliant with the forthcoming 2018 regulations.

While the prospect of mass data inquiries may induce panic at some companies, savvy businesses should view GDPR as a golden opportunity. If businesses set their strategy correctly, the very same infrastructure that will enable them to comply with the regulation can actually underpin future success to deliver better customer engagements.


LEARN MORE and build your GDPR compliance strategy:



ABOUT THE AUTHOR: Leanne Russell, managing editor of Pega’s blog, helps high-tech leaders share their knowledge, experience, and success stories.