May 10, 2018
GDPR – challenge or opportunity?
67% of larger organizations are already taking the necessary steps to prepare for GDPR, compared to 47% of small organizations.
The new EU data privacy legislation, General Data Protection Regulation (GDPR), is expected to intensify protection for personal data, and reinforce the responsibility level for those entities who collect or process that data. The regulation applies to any organization working with personal data belonging to EU individuals, regardless of their location.
Larger organizations are already gearing up for major change in the way data will be handled. Smaller organizations are lagging behind. Let’s look at the issues.
What is Personal Data according to GDPR?
Personal data is any data that allows for the identification of an individual, whether directly or indirectly. In particular, this refers to identifiers such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Starting May 25, 2018, privacy for the individual and his fundamental right to that privacy will be at the heart of data protection. The interpretation of what comprises personal data will be expanded to ensure absolute protection while simultaneously clarifying regulatory rules for organizations that provide services and goods to the EU citizens. The new GDPR rules are harsher and more challenging, and make organizations accountable for personal data protection. Among a broad range of requirements, your organization should focus on three key points that identify the concept:
Transparency: Accountability and transparency for what kind of data you collect and how you protect it is expanded. For example, you will need the data subject’s explicit consent before collecting/processing their personal data (PD) which will be stored in secured way.
Data Rights: When delivering products and services, companies must ensure that they preserve an individual’s privacy, and give them the choice over how their data is used. For example, the data subject has the right to remove/erase all his or her PD from an organization’s database. In addition, data subjects must be given the right to access to their collected PD as well as the ability to modify it.
Data Protection: Security measures preventing unauthorized access to personal data are required. For example, organizations must ensure minimized PD exposure by design through secure data storage that includes encryption, data organization, controlled access to data applications, and mandatory reporting within 72 hours of any data breach.
So why should you care?
Studies show that GDPR has been met with a positive response from consumers and customers in general. When realizing the importance of financial aspects together with client expectations, organizations understand the benefits. It is an effective business decision to create a centralized system holding data. It elevates PD protection to a top priority in regard to legal compliance and strategic planning for companies around the world that work with European residents’ PD.
But it is not just a choice any more. Simply put, businesses are legally bound to do this and must prepare for the GDPR journey by creating a structured process to achieve this compliance.
Creating a GDPR Action Plan
Identify and Review
- Data Inventory. A data inventory consists of mapping and auditing all data processes, noting where the data is stored, and the process methodology within the organization for using it, as well as existing internal policies. Regardless of the technology stack, i.e., traditional data warehouse or Hadoop clusters, structured or unstructured data, etc., the review of what PD is stored and used across your data landscape is a must. To complete this inventory and discovery of possible exposure, as well as enforcement of enterprise-wide privacy rules, seamless access to all data sources is a precondition.
- Review. A risk and security review is vital. Your organization needs to understand the controls in place, and identify mitigation plans and their ramifications at all stages in case of data breach. It means storing data in a way that it cannot be stolen or lost or made accidentally accessible to unauthorized users. Even controlled access to data, such as the way in which, for instance, Salesforce Marketing Cloud already provides segregated data at the account level (so only designated users can access it), must be examined.
- Right to Erasure. The GDPR states that personal data can only be used with customers’ clear consent, and only for a specified purpose. Once that purpose has been fulfilled, a company must justify any reason for continuing to hold onto personal data. Therefore, it is crucial to determine what automated data can be deleted or obliterated.
Biometric Data is a particular data subject consideration. GDPR notes that protection of biometric data, e.g., a dactyloscopic (fingerprint) data or facial recognition for unlocking a phone, etc., is also now a critical component of PD protection.
Build a Unified Data Governance Structure
- Control. In order to conform to GDPR, and establish an adequate control level, all privacy rules and policies must be recorded, catalogued in detail, and shared across all lines of business in order to ensure that personal data can be accessed only by authorized users. After defining governance model roles, business terms must be validated and connected to physical data sources, and the succession (flow) of data from creation to consumption must be launched.
- Identify Data Consumers. Identify key partners and third party processors in order to handle data with exhaustive and secure measures, e.g., health insurers, payrolls are compliant, etc., and create awareness throughout the organization and among partners about the changes, adapted policies and conditions.
- Cooperation with DPO. Some businesses, depending on their core activities, e.g., hospitals, banks or insurance companies, internet service providers processing data by telephone, need to appoint or cooperate with Data Protection Officers (DPO), that is critical for those processing sensitive customer PD or biometric data.
Because of our close association, cooperation with Salesforce is pivotal for CoreValue. We are watching closely the latest steps Salesforce is taking towards Data Protection and Privacy Compliance. For example, the new Marketing Cloud release adds features to ensure that customer and vendor companies comply with GDPR. One such feature is the removal of subscribers deleted using the Contact Delete feature from Audience, in order to prevent those subscribers from being included in new audiences. This process also removes any related usage data or data in sendable data extensions. It also removes records deleted from non-sendable data extensions via the Data Extension user.
- IT and Infrastructure. The process of documenting humongous data volumes alongside its quality classification and standardization cannot be performed manually. With the proper digital tools and well-prepared resources, automation will help meet the GDPR requirements and reduce the cost of compliance.
Data Protection Techniques to Reduce Risk
Safe and secure data storage is a vital aspect in the GDPR journey. Data protection techniques applied appropriately can assist “data processors” achieve data compliance regulations and considerably reduce risks.
- Anonymization. Removal of personal attributable information from a data record is the easiest way to protect data. The data can be exported or retained, and consent issues are no longer applicable, but the process is irreversible and data subjects cannot be identified.
- Pseudonymization. Replacing identifying fields in a data record with one or more artificial identifiers, i.e., pseudonyms in the form of codes, random tokens, etc., allows for re-identification.
- Encryption. The encoding of personal attributable information in a data record minimizes the risk of cyber-security incidents during data processing. Encrypted content is unreadable for third parties without a key, making it inaccessible to unauthorized users. Encryption is also the best means to protect data during transfer and storage of personal data, such as documented personal HR benefits or dietary needs.
- Express Consent. Consent mechanisms in GDPR will change the marketing world as it is an opt-in model with evidence to be provided. Clear and express consent to process personal data under the GDPR is a priority for all organizations starting from May 25. Customers are granted the legal right to decide whether they want to share their personal data and to give consent (or opt-in) to the use of it for specific purposes. When a new customer signs up for a newsletter or opens an account, using or collecting their personal data from pre-checking a consent box is not applicable by default. For instance, geolocalization is not a vital functionality of a mobile application allowing users to edit photos. Now the data subject can consent or to refuse to consent, but will still be able to use this app.
- Requesting Additional Consent. Even when a customer has given consent for using his/her personal data, an organization can only use it for one particular reason. In a case where personal data is needed for another reason or in case of sharing it with a third party, requesting a separate permission from the consumer is obligatory. For example, if a consumer opted in to receive product offers via email, and now you’d like to track their activity across your website as well, you must get consent to do so.
The GDPR applies to the processing of personal data wholly or partly if it is part of a structured filing system. Personal data processing covers a wide range of manual and automated operations performed on personal data. These include collection, recording, storage, retrieval and other data management operations, such as payroll administration, storing IP addresses, sending promotional emails, and posting a photo of a person on a website.
Although GDPR’s new regulations enforce consistency and clarity in PD protection with enhanced personal privacy rights and increased security for personal data, it is equally important to understand the value of data as a strategic asset for business.
Advanced data management can drive business efficiency
The main benefit of the regulation is better data governance, which will in turn impact an organization’s efficiency. Since personal data is the center of advanced analytics, companies can improve analytical processes with tailored policies, optimizing operational efficiency and reducing costs. GDPR could become a digitalization catalyst for businesses as companies embrace the necessity to enhance IT capabilities in order to comply. With 21st century technology trends like big data, cloud computing, IoT data processing can become a strategy that brings value.
Achieve higher customer satisfaction
Studies show that better customer data protection can be a deciding factor in determining better customer satisfaction. Organizations can use customer data to improve their interactions, while having a more holistic insight of customer preferences. All of this leads to better accuracy and targeting.
Higher Brand Awareness
For several years now, transparency has become the fundamental value for brand awareness. When supported by a well thought-out and implemented set of rules, businesses can benefit from a more trusting and open relationship with their customers.
GDPR is an essential component in establishing data protection and an opportunity for every business to extend their commitment to customer satisfaction. CoreValue is complying with the new rules set out in the GDPR. With the delivery of our services, we are helping our clients to comply with the GDPR as well.