Imagine a scenario where one of your customers comes to you asking to see all of the information held on them by your company.
What’s more, they’re not just talking about their contact details, they mean every minute piece of data your organisation holds, from each email transaction that’s ever taken place, right down to the notes recorded by customer services reps during phone enquiries.
Now imagine you have absolutely no choice but to respond, and not only that, but you have just a month to do it. You’re probably thinking to yourself, “what a logistical nightmare that would be”.
The problem however, is this is exactly the kind of scenario set to become common place when GDPR (General Data Protection Regulation) comes into effect on May 25 2018.
Under the new rules, the rights of individuals (including both customers and employees) are being significantly enhanced, giving them far greater say over how companies manage and store their personal information.
‘Subject access requests’ like the example given above are only the tip of the iceberg. Individuals will also have the right to request for all of their data to be deleted from within the business and supply chain, as well as anything related to them that has been published online by the company.
The fact is, the vast majority of companies are extremely ill-prepared for the level of scrutiny all this will bring about. Making sure you’re properly prepared will require reimagining the mechanisms by which personal data is gathered, recorded and shared across the entire organisation – an outside-in approach to business processes and systems that puts the customer and employee at the centre.”
For companies and organisations used to jealously guarding their customer data, it will mean radically changing their approach and, essentially, learning to turn themselves inside out. Those that refuse hand over the data, risk getting caught with huge fines. Under the rules, infringements could be punished with fines of 20 million Euros or four percent of global revenues (whichever is larger).
With less than two years to go until the rules take effect, it’s crucial that your business starts preparing now. There are some critical steps all organisations should take as soon as possible in order to get prepared.
Firstly, implement a root and branch review of all software, systems and processes at your organisation, to ensure any subject access or erasure request can actually be met. This can’t be limited to just your IT infrastructure, but needs to include every department within the organisation – from customer operations to HR to marketing.
A thorough audit like this doesn’t have to imply that you’ll need to completely overhaul your existing IT systems, particularly if you work with the right technology partner. Companies and organisations can invest in data protection technology that can offer a holistic series of integrated solutions that are flexible enough to work alongside your existing systems.
The extra protection that organisations will need to put in place will also require a new approach to data storage. One solution that’s been widely discussed is called data ‘pseudonymisation’, a process which involves personal data being syphoned off, which then allows it to be encrypted and protected. This approach offers reassurance that the data is properly protected but also gives you quick access to it as and when it’s needed for your business processes.
Separating sensitive data out like this will also raise the question of whether it’s worth keeping it at all. Many companies are sitting on worrying amounts of potentially toxic, sensitive data, which if ever subject to a breach, could have truly terrible implications for an organisation’s reputation.
It might be the case that reducing the amount of data that’s gathered is the best approach. It would certainly be more cost effective, as continued accumulation of siloes of unused personal data increases the need for encryption – with an obvious and inevitable increase in complexity.
Off the back of this initial review, an ongoing programme of activity to educate all employees on the new requirements should also be put in place. This needs to be applied to where ever personal data is involved.
One very basic, but still extremely important, example is how people should be taking notes and recording information about their customers, prospects or employees. This data could easily be subject to an access request in the not too distant future, so companies need to make sure it’s recorded in a way that will be appropriate for external eyes, whilst also ensuring it is properly protected.
Finally, if you haven’t already got one, think about employing an experienced Data Protection Officer (DPO), something regulators are already pushing for. The DPO will be able to help lead the privacy and data protection aspects of your organisation’s digital transformation and make sure it’s protected at every level. However, start hunting for an appropriate individual quickly before the talent pool is exhausted. You likely won’t be the only company racing to find the right DPO.
Taking these steps will inevitably require a lot of time and investment, something many organisations are still blissfully unaware of. But companies cannot afford to ignore the new regulatory landscape and all the challenges it’s set to bring. GDPR is coming – get ready for it to turn your business inside out.
By Simon Loopuit, CEO of trust-hub