The EU’s General Data Protection Regulation takes effect May 25, 2018, enforcing a number of data protection laws. But it’s selling the purpose of the regulation short to consider it solely as a series of constraints. It will benefit brands by providing them with an opportunity to generate value based on consumer trust that’s earned as a result of GDPR compliance. If properly conducted, this compliance process will reveal itself a strategic economic lever. So what exactly do you have to do? We’ve listed five essential requirements.
Probably the regulation’s most important tenant: its accountability principle, requiring that companies not only take measures to protect personal data, but prove it by keeping a record of all processing activities, detailing the reasons for each process and the relevant security and confidentiality mechanisms in place.
Because the European regulation extends its provisions to all subcontractors, it’s necessary to make sure they can also prove their compliance through a similar record, regardless of their geographic location.
2) PIA: don’t put privacy at risk
For every data processing activity that potentially puts an EU citizen’s privacy at risk, an organization will have to run a “Privacy Impact Assessment” based on which it will set up a maximum security action plan.
3) Privacy by default and by design
These two principles highlight the new cultural mind-set that the GDPR aims to instill within organizations.
On the one hand, by default, the volume of data and its storage time must always be kept to a necessary minimum. A user has to clearly understand and give his/her consent freely to any kind of data processing, thus putting an end to all passive opt-in and opt-out mechanisms. Organizations must also bring to a user’s attention any instance of automatic profiling, such as processing via cookies that help track, analyze and predict certain customer characteristics through online navigational behavior.
On the other hand, the highest level of data protection has to be built into the design of any new service or product through anonymization, pseudonymization or encryption tools.
4) Bridge the IT-Legal gap
The security of your IT environment is inarguably the cornerstone of compliance. If it’s imperative to invest in cybersecurity solutions, it is equally important to train all teams involved, at every level of the company, in order to properly use data processing tools, follow these new regulations and understand their legal implications. Human error can jeopardize even the most foolproof technology.
5) Appoint a Data Protection Officer
By supporting your company in its compliance action plan and educating everyone involved, the Data Protection Officer will become the true champion of sound data governance. He or she will need the necessary legal and technical skills to guarantee both legal and operational compliance, as well as act as a key liaison between your IT and legal departments. This position is compulsory for all public organizations, private organizations of more than 250 employees and for all groups that process sensitive or considerably high volumes of data.
“The collection of data is part and parcel to any customer journey,” explains Emmanuel Richard, Associate Director of Extens Consulting, a firm of Sitel Group. “By respecting these five GDPR requirements, a company will be able to deliver a honed and streamlined customer experience – one that is rid of superfluous information and truly customer-centric.”
If organizations are worried about the looming financial sanctions, the real sanction will arise from consumers’ lack of trust in companies who don’t take every possible measure to protect their personal data. There is no such thing as zero risk. However, consumers will more readily trust brands who pool all available efforts and resources to implement proper protection mechanisms and comply with the GDPR.