Articles on the European Union General Data Protection Regulation (GDPR) have been in the news since April 2016 and have increased lately in both frequency and urgency. Why? Because GDPR is a real regulation with real consequences – organizations can be fined up to 4% of global revenue or €20 million for non-compliance. And it doesn’t just affect EU companies. Any company anywhere in the world that possesses and processes data from an EU resident is impacted.
According to a PwC survey of 200 U.S. CIOs, CISOs, CCOs, CPOs, CMOs, and General Counsels, 92% of U.S. organizations consider GDPR compliance a top priority, but as of a few months ago only 71% have started preparing.
Additionally, Gartner predicts that less than 50% of companies will not be ready to comply by May 25, 2018, when the regulation goes into effect.
If you don’t yet have a GDPR strategy, you need to make it priority number one, as procedures designed to meet prior privacy guidelines will not be sufficient for your upcoming GDPR compliance.
How GDPR is different: Your data is no longer your data.
The European Union’s initial guidelines on data protection and privacy date back to 1980 – a time when very few consumers rarely even owned a brick-sized cell phone or personal computer. The subsequent tech boom that took us from Walkmans and Commodore 64s to the Internet and smart phones prompted the EU to establish Data Protection Directive 95/46/EC. This built upon previous data collection, use, and accountability principles, and extended privacy as a fundamental right. However, legal interpretations and challenges have since weakened the Directive. GDPR, in contrast, is an enforceable regulation.
Under GDPR, privacy is still considered a fundamental right -- individual’s right. In the eyes of GDPR, this type of personal level data is now fundamentally considered to be the property of the individual – not your business. Any data that can be connected to a person, such as name, location, ID, genetic info, cultural details, and social identity – even browser cookies – can be seen to fall into this category. And GDPR gives individuals the power to exercise their rights -- the right to know about the data being collected or processed; the right to see a copy of this data; the right to request that it be erased forever, and much more.
Key Changes to Data Management under GDPR
- Requires organizations obtain consent from the customer; allows the customer to withdraw consent, demand erasure, and/or cease processing of their data.
- Organizations must provide upon request a copy of the individual’s personal data, free of charge, in an electronic format.
- In the event of a data breach, organizations must contact customers within 72 hours of first becoming aware of the breach.
More importantly, GDPR fundamentally changes how businesses must operate.
GDPR is not just a rights or regulatory issue, it’s a very real customer engagement issue -- with the ability to impact both a customer’s experience as well as your organization’s bottom line. In essence, every interaction provides a customer the opportunity to remove data and remove consent -- limiting and even potentially closing the lines of communication between your business and your customer.
Plus, it affects not only collected data, but also behavioral models and decisioning. The type of data your organization may rely on to generate a profile of a person. Customers can demand to know the purpose of your decisioning models, and may be able to opt-out of decisioning if the resulting data could be legally harmful to them. You’ll need to demonstrate transparency and establish trust to foster positive customer relationships.
GDPR dramatically raises the stakes of getting it right when it comes to customer relevance – and now more than ever - of making sure you don’t get it wrong.
You’ll also need a system in place to notify customers, respond to inquiries, and track this information. If a customer asks about their data, you have one month to reply. For a breach of data, 72 hours. GDPR requirements – and penalties – are real.
27% of respondents are planning to completely overhaul their approach to security in response to GDPR.
--Symantec, State of European Data Privacy Study
If you don’t already have an understanding of how GDPR will affect your organization, a gap analysis is essential. You will need to first and foremost understand what type of data you collect and process, where it is stored, how it is transferred, and how it is secured. Then rank order the steps you need to take to be prepared. During your evaluation keep in mind these three key concepts:
- Onboarding/Re-Boarding – If you already have personal data, you’ll need reach out to customers and solicit them to opt-in to the use of this data prior to May 25, 2018. If a customer does not opt-in, you can no longer use that data. After May 25th, you’ll be required to show your compliance in obtaining permissions to collect/use data.
- Privacy by Design - Large, multinational organizations should institute an orchestrated approach to data management and customer interactions. GDPR calls this “Privacy by Design.” In short, you will need to automate closed-loop processes across disparate systems and data sources – and do it quickly. Data privacy can no longer be an afterthought or add-on; it needs to be built into the core of your systems.
- Accountability - Any organization that establishes customer processes or interaction strategies must have systems and procedures in place that track customer notifications, correspondence, consent, and data policies, plus provide evidence of regulatory compliance. End-to-end orchestration, governance, dynamic processes, and auditability are essential.
Learn more and build your GDPR compliance strategy:
Contact us to learn how Pega software can support your GDPR strategy.
Next in this series: 7 Steps to Prepare a Successful GDPR Compliance Strategy