Power to the customer – ensuring that businesses are ready for GDPR

Businesses of any size understand the importance of customer insights – when gathered and used correctly, they can drive strategy and become a key part of operations. Whether this data is supporting sales and marketing, or being used to develop new products, many organisations are sitting on a goldmine of information – however, many of them are taking unnecessary risks with this data, with potentially devastating consequences on the horizon.

The catalyst for this time bomb is the EU’s new GDPR (General Data Protection Regulation), which comes into effect on 25th May 2018. Under this regulation, the rights of individuals (including both customers and employees) are being significantly enhanced, giving them the right to request access to their data and demand details on how it has been processed. More than just contact details, this can include notes from telephone calls or every email sent to and from the company – and the firm will be obliged to share this with the individual free of charge.

Smaller IT businesses might believe that this law only affects the likes of Google and Facebook – the Goliaths of digital – but it affects all businesses regardless of size. And despite the UK’s vote to leave the EU, British organisations will still be affected as it applies to any company that serves EU residents, irrespective of whether the business is based in an EU member state. Those infringing the law could be punished with fines of 20 million Euros or four percent of global revenues (whichever is larger), making it a top priority for CEO’s and Boards. For example, Capgemini reports that consumer goods companies would lose up to $320 billion as a result of fines and lawsuits if they fail to update their security policies in time.

This new level of scrutiny and the consequences of ignoring it mean that senior management will need to take a whole new approach to the way they handle their data, with full transparency. In short, they need to change their way of thinking – to turn themselves inside out. There are some critical steps all organisations should take as soon as possible in order to get prepared.

Firstly, it is important to complete a full review of all software, systems and processes used within the company, to ensure any data access requests can actually be met. This will provide a breakdown of how information and data flows through the business, from customer operations to HR and marketing. For example, when employees take notes and record information about their customers or prospects, it needs to be recorded in a way that will be appropriate for external eyes, whilst also ensuring it is properly protected. After all, customers will be able to request to see this information about them, and know how it was used.

Next, businesses need to prioritise which data needs the most protection and categorise what they have on file. One solution that’s been widely discussed is called data pseudonymisation, a process which involves personal data being separated from transactional data, which then allows it to be easily encrypted and protected. Implementing the right approach will offer reassurance that the data is both properly protected and easily accessible – it also reduces the amount of data on the system, making operations more cost effective and less complex.

Taking these steps will inevitably require time and investment, not least in new technologies. Over two thirds of UK IT professionals expect to invest in new technologies or services in preparation for GDPR, covering areas such as encryption, analytics, perimeter security and consent management. However, this doesn’t necessarily mean that a company needs to rip-and-replace its infrastructure, and it certainly doesn’t need to be a difficult process. It’s important to invest in a solution that’s both flexible and holistic – that way, it can integrate into the systems already in use.

Finally, it’s important for senior management to consider employing an experienced Data Protection Officer (DPO), something regulators are already pushing for. The DPO will be able to help lead the privacy and data protection aspects of the organisation’s digital transformation and make sure it’s protected at every level. As many companies will be joining the race to find the right DPO, it’s best to start hunting for an appropriate individual quickly, before the talent pool is exhausted.

With the consequences of infringing on GDPR looming, it’s essential that businesses are ready to face these challenges and are prepared for this important regulation. Transparency will shape how a company functions on a daily basis – and by forcing a business to turn itself inside out, this will create the foundations for organisations to align themselves to the needs of the people who matter most: customers.

By Simon Loopuit, CEO of trust-hub