The GDPR impact on marketing and customer experience
“The GDPR’s second ambition is to increase people’s trust in data-collecting organizations which will, in turn, drive the digital economy and foster its growth throughout the European market."
On May 25, 2018 a new regulation covering the protection of personal data will take effect. Its enforcement will have a considerable impact on marketing projects and customer experience. But beyond that, there are high stakes involved as far as brand image is concerned. So, what are the foreseeable consequences of this regulation? And what support and resources are available to guide you through the compliance process? Here are a few key explanations…
As of May 25, 2018, businesses must comply with a new European regulation: the General Data Protection Regulation (GDPR). The general idea of the GDPR is to give people control over their personal data and provide them with the legal framework to defend their rights. With the GDPR, individuals will be able to oversee what happens to their personal information: they’ll be granted access to all their personal data processed by a company, allowed to rectify, even delete it under certain conditions or request its easy transfer to another organization.
Trust: the new currency that will widen the competitive gap
“The GDPR should not be seen as a constraint,” said Emmanuel Richard, Associate Director of Extens Consulting, a firm of Sitel Group. “Meeting compliance requirements, in fact, creates terrific opportunities for organizations to showcase their care and respect for their customers on a personal level by building a relationship based on trust.”
In his latest book, What if AI could make us more human? Arnaud de Lacoste, Co-Founder and Chief Marketing & Innovations Officer of Sitel Group, stresses the point even further: “Trust has never been as crucial to the customer experience as it is now,” said de Lacote. “But to maintain trust, they [brands] must guarantee data privacy. For major players in digital technology and AI, competitive differentiation will come down to principles such as transparency and secrecy.”
“Don’t worry about giving your customers control over their data, instead see it as an opportunity to earn their trust and in so doing strengthen and improve your brand’s image!” emphasizes Richard.
See our article: “Take a good look, because behind the GDPR compliance hides a host of opportunities!
The goal of the GDPR is twofold.
First of all, the GDPR is a legal safeguard against potential abuses related to personal data exploitation, prohibiting excessive or unjustified collection or processing throughout the whole European Union. By personal data the regulation refers to any data that directly or indirectly identifies an individual (by name, credit card number, customer number, license plate, pseudonyms, work badges, IP address, geolocation or financial information, etc.).
According to Alexandre Tessonneau, IT & Data privacy lawyer: “Data has become the oil and fuel of the 21st century. The current legal framework, based on the Computer Technology and Freedoms law of 1978, has been relatively lenient toward companies in breach. Moreover, it’s inconsistent from country to country within the EU. Although it’s based on a single legal instrument (the 1995 Directive 95/46/EC), it’s transposed and aligned according to the national laws of each member state, leading to disparities in its interpretation and application, thus hindering companies who seek to stretch their business beyond their own borders. With the GDPR, the European Parliament as legislator has finally the means to consistently enforce in every member state the same rules and regulations regarding personal data.”
Secondly, this regulation aims to facilitate the use and circulation of data within the European Union. As Alexandre Tessonneau explains, “The GDPR’s second ambition is to increase people’s trust in data-collecting organizations which will, in turn, drive the digital economy and foster its growth throughout the European market.”
This means harmonizing the regulation, whose current inconsistencies obstruct the flow of data within the EU. Outside the EU, the GDPR outlines specific mechanisms and procedures that simplify the processing and export of personal data while ensuring the adequate level of protection.
Who’s concerned? Every company and organization that process personal data.
Does this new regulation concern everyone? “Any private or public institution that is established in Europe and processes personal data is subjected to this law,” said Tessonneau. As aforementioned, the meaning of “personal data” is very broad. Similarly, “processing” covers a wide range of actions that include the collection, storage, analysis or transfer of personal data. The regulation therefore applies to both SME and multinationals. It also applies to companies located outside the EU who interact with data that belong to European citizens.
“It’s important to remember that subcontractors who interact with personal data on behalf of their corporate clients (such as SaaS solution providers or customer service support centers), are also subjected to this regulation,” adds Tessonneau. “Today, they’ve remained relatively ‘spared’ by the regulation. Once the GDPR is enforced, they’ll be held accountable by the regulator as well as by the people whose data they process for their clients. B2B contracts for outsourced services that involve personal data processing will need to include clauses that guarantee an adequate level of protection. Subcontractors will be required to assist their clients in fulfilling their obligations under the regulation.”
With the GDPR come new obligations
The regulation introduces a logic of internalizing within organizations themselves the process of compliance with data protection. Currently, compliance is reached through a number of preliminary formalities to carry out with the National Commission of Computing and Freedoms. These administrative formalities will be replaced by a principle of “accountability” to uphold through a set of new obligations, a number of which depend on specific thresholds. By May 2018, companies with more than 250 employees must keep an internal register recording all personal data processing activities (identifying, describing, tracking each and proving compliance). Subcontractors will also have to keep a similar register of all data processing activities they perform for their clients.
For public institutions or companies whose activity (1) entails the processing of a large volume of sensitive data, or (2) requires regular and systematic large-scale monitoring of people, a Data Protection Officer (DPO) will have to be appointed. This person will be a referent for all matters related to personal data.
GDPR offenders will incur massive fines: depending on the nature of the violation, it can reach 10-20 million euros or 2-4 percent of the global annual turnover, the highest amount being the one retained.
The GDPR will impact marketing and customer relations services who will need external support
Within companies, Human Resources and Marketing departments will be most impacted. Extens Consulting has decided to partner with lawyers who are experts in data privacy to guide and assist organizations in their GDPR compliance process.
“Our knowledge of our clients’ business sectors, 15+ years expertise in customer experience and project management combined with the legal expertise of our partner lawyers lead to a GDPR compliance process that runs much more smoothly and efficiently,” explains Richard.
Something Kärcher, global leader in cleaning technology, has understood and can attest to after soliciting Extens Consulting to help them with GDPR compliance.
What does this type of collaboration consist of?
- A complete audit and assessment of where the company stands followed by an action plan proposal: “This audit stage is crucial to map out all current data processing activities and carry out their legal assessment,” explains Richard, who adds: “This helps identify gaps in relation to the regulations and measure potential risks.”
- Support in implementing a plan of action to remedy these gaps: “We help our clients create and maintain the internal register of all data-related activities, we review their general conditions, cookie and privacy policies, terms for obtaining information and consent, supplier contracts as well as the legal framework for non-EU data transfers, etc.,” details Tessonneau. “But that’s not all! If it’s necessary, we can help recruit. We also conduct risk and impact studies prior to the launch of a new product or service, related to a connected object for example, or anything that could potentially compromise the privacy of an individual,” describes Richard.
For further reading, discover Extens Consulting’s White Paper: “Forget Effort, Choose Ease: take a bold approach to customer and employee experience”
 Under the accountability principle as codified in the GDPR, controllers will be required to implement appropriate technical and organizational measures to ensure and be able to demonstrate that data processing is performed in accordance with the GDPR, and review and update those measures where necessary.