The arrival of The General Data Protection Regulation (GDPR) certainly felt like an “event”. In the run-up to 25 May (the date on which the new law came into force), the pressure was on businesses to get compliant. Businesses had to ensure that their processes were updated in light of a wide range of new data protection obligations.
Many businesses are doubtless breathing a collective sigh of relief right now. The data has been mapped, the marketing lists have been cleansed and the website has been refreshed. Barring any mishaps, it’s a case of “job done” on your implementation project and GDPR fades into the memory to become one less thing to worry about.
Of course, life is rarely that simple, especially if you’re the person responsible for data protection within an organisation. The GDPR was never meant to be a one-off project. It has been designed to create a new environment; one where individuals have a much greater say in what happens to their data and where businesses are held to a much higher level of scrutiny regarding their treatment of that data.
25 May 2018 marked the start of all of this. So what happens next? Here are our thoughts on how the GDPR is likely to affect the business landscape and on what approach you should take to stay compliant.
Your customers provide the greatest incentive for compliance
Thanks to a recent onslaught of emails seeking renewed consent for marketing, many members of the public will at least now have heard of “GDPR” even if they are yet to realise what it actually means.
As a follow-up to this, we can expect the public to become savvier with their data. What exactly does my ex-employer still hold on me? How do I transfer my buying history from one account to another? How do I get an organisation to delete my details? As data subjects become more aware of their new and enhanced rights under the GDPR, they are likely to explore how they can put those rights to work.
The UK’s Information Commissioner expects to see a significant increase in the volume of official complaints as people become more aware of their rights. And if data subjects meet a brick wall when they try to exercise these rights (e.g. if requests for access are ignored or not dealt with in a timely manner), this is where the Regulator will step in.
It’s also likely that individuals will have plenty of help and encouragement to take action against non-compliant organisations. For instance, it has been suggested that claims companies who currently specialise in recovering PPI compensation will be able to switch their business model to focus on data privacy claims with relative ease.
No business wants to be subject to regulatory intervention. Rather than routine monitoring, the most likely trigger for such intervention will be as a consequence of complaints by individuals.
So here’s the upshot for any organisation that wants to avoid falling foul of the regulator: make sure you continue to ensure that the personal data you control is safeguarded and that you are able to respond to access and other requests in a timely and thorough manner.
Building GDPR into your customer experience
A survey from last year suggested that half of consumers don’t trust businesses with their personal information. 79% said they would consider taking their business elsewhere if they believed a company wasn’t fulfilling its legal obligations around data protection.
As customers become more aware of the GDPR, data protection and privacy is likely to become more important as a determining factor when customers choose who to do business with. Increasingly, customers are likely to want reassurance that their data is in safe hands.
Here are some ways in which you can provide that reassurance:
- A self-service approach to data access. This usually entails an online portal, where customers can view their order history and (where appropriate) a summary of other categories of personal data you are processing. This lets them update their personal details as needed (the right to “data rectification”). It can also help simplify data portability where customers wish to switch supplier.
- Carefully crafted privacy policies. The GDPR requires organisations to give data subjects clear, transparent and easily-understood information on the personal data you hold and how you use it. If time pressure meant that your privacy policy revision was a bit of a rush job in the run up to 25th May, you might want to revisit it. Does the policy sound like a standard template – or does it fit in with the voice of your brand? Will it be clearly understood by your intended audience? Read up on privacy policies in our dedicated guide.
- Build privacy into your “brand promise”. You respect your customers’ privacy. You work hard to ensure data is kept safe from security threats. And you want to make it as easy as possible for customers to exercise their rights. Instead of burying this information away on privacy pages, bring it up front and centre in your marketing material and campaigns – as part of the promise of great customer service.
Creating a culture of compliance
Around three quarters of data security breaches stem back – one way or another – to the actions of your people. This ranges from innocent mistakes, such as exposing your data to exploitation by clicking on an infected Web link – through to deliberate, non-authorised actions (e.g. the sales rep who takes a list of client email addresses when leaving for another firm).
You fully intend to remain compliant in the future. But as time passes by, data governance requirements can easily be glossed over, people can become less vigilant – and good practice falls by the wayside. One of the biggest GDPR-related challenges for any company is to prevent this “compliance malaise” from setting in.
To stop this, you should work on creating a culture of compliance, whereby the various obligations set out in the GDPR are built into the way you do business. Here are two vital elements of this:
- Set out clear responsibilities and task allocation. Who’s responsible for replying to subject access requests? What should staff do if they suspect a security breach? For your organisation as a whole to remain compliant, there has to be clarity on what’s expected of people on the ground.
- Build compliance into your processes. Your new website launch, your next marketing campaign, choosing a new courier, your response to a hacking attempt from outside: all of these feature important compliance requirements. The Privacy Compliance Hub comprises a complete solution to help you stay on top of all of this.
To find out how The Privacy Compliance Hub can help you meet your GDPR obligations now and in the future, take a look at our demo – or get in touch for a chat.