GDPR business implications: How to adapt to EU new privacy regulation
This article has been originally posted on Linkedin and written jointly by José Manuel Valdés (CEO of BB2B, an advisory firm that specialises in privacy regulations and their implementations), and Jordi Marca(CEO of Gotoclient, a marketing agency that serves multinational brands in the Southern European markets).
The goal of this article is to serve as cheat sheet for EMEA Marketing Directors, VP Marketing, CEOs and, in general, anyone working in marketing and/or sales that should be concerned the new General Data Protection Regulation (GDPR, Regulation EU 2016 /679) implications.
There will be a great shift in 2018, when, on May 25th, the new GDPR will apply. It will affect any treatment with any personal data belonging to UE citizens and will apply not only to data store in the UE, but also to data stored outside of it.
Prior to explaining what to do, let us start with why truly adapting to it will be important. The UE is getting very serious about privacy. Fines will from 2018 go up to 4% of global revenue. So, for example, if your business in Europe brings you a revenue of 200Mio Euros, but your global revenue is 1B, you might potentially be exposed to fines up to 40Mio (4% of 1B), which stands for 20% of your European revenue. So let’s talk GDPR business implications.
1.- Change your mindset: EU is now asking you to be proactive. Ask yourself the right questions
The first thing to understand is that the EU is now asking the data managers to be proactive, and forget about the old-school approach. Think about it this way. The question is not anymore ‘is this legal?’. The questions you should now asking yourself are some of the following:
‘What should I do to protect individual data?’
‘Am I doing the right thing to protect individual data?’
‘Could I do more to protect individual data?’
2.- Become 100% citizen-centric
Your consumer is, first and foremost, a citizen. Citizens get empowered by the new GDPR. The basis of the GDPR is crystal clear: ‘’Everyone has the right to the protection of personal data’’ Therefore companies should empower the citizen, giving them the tools to handle a transparent data management.
As it is already possible in some countries like Sweden, in the future, citizens will be able to make key decisions on their data, such as deciding which doctor has to have access to them and which one doesn’t have to. For companies, one implication will be for company groups, for instance, that a citizen will be able to decide which company has the right to have their data and which company does not have it. Obviously this will imply processes adaptations.
One way to protect the citizen, is to anonymise them in your internal processes. For instance, a best practice is to assign an Id, anonymise the personal data in your internal processes and use personal information only when it’s truly needed.
A special note is deserved by Big Data processes. Companies will not be able to segment so sharply that is possible to identify individuals. Somehow Big Data will have to remain big.
New citizen’s rights will take place. On the one side,the right to be forgotten , that includes the obligation to erase the Internet footprint. On the other side, data migration appears as well. We will be obliged to handoff data from one company to another for free when requested by a citizen. Finally, the right to oppose to massive treatment (a very controversial one from a marketing prospective), which will not allow to take decisions on the basis of automated processes. For instance, it will not be possible to approve or reject a credit based exclusively on the ratings. A human decision will have to take place.
3.- Change your operations: EU is now asking you to strongly integrate data privacy to your operations.
Every company treating individual data will have to have the right operations put in place. Data privacy management cannot be anymore a one-off or a from-time-to-time thing to apply. It has to be integrated within your daily operations.
This is where the concept of privacy by design appears. It will become a must to be able to prevent data misuse at any time at any level. This will apply to the whole data lifecycle. In short, privacy by design comes before the definition of processes and not after it, as your default operational basis. Privacy by design was created in Ontario by Ann Cavoukian back in the 90s and now gets reinvigorated.
Another interesting factor is the fact that companies that are responsible for the data treatment (for instance, marketing agencies) and companies that use those data (for instance, those agency’s clients), will share responsibilities. Every company will have the obligation to make sure their collaborating companies are GDPR compliant. This means that specific GDPR compliance contacts will have to be signed between companies, and, more importantly, the data treatment chain will have to be visible to everyone. Brands, for instance, will have to make sure that they not only sign GDPR contracts with their agencies, they will also need to know what providers are those agencies employing and make sure those are compliant too. Contractor companies will have the obligation to notify their clients when employing new providers. Certifications will appear and will make this aspect easier, on the basis of the already existing in the ecommerce market such as Truste, or Europrise)
Lastly, many EU countries had paperwork or additional law developments that will not be necessary anymore. For instance, in Spain, there is (till the GDPR applies in 2018) the obligation of registering databases in the central database of databases of the Spanish Data Protection Agency. This will not be necessary anymore.
4.- Get transparent
One key advice here is to be clear about your goals and why you will use personal data. Consents will have to be given on a crystal clear basis (tacit consent will disappear), and on the basis of each goal. For instance, if you collect personal data to carry your basic client operations (warranty, post –sales support, for instance) you will need one consent explaining the reason for collecting the data (in this case, to be able to contact the consumer later). If you collect personal data to inform about your products or services, you must have one other consent, that cannot be compulsory (you cannot have a form where you will not be able to finish the relevant process if the tick is not checked)
5.- Carefully recruit or nominate your DPO
Your Data Privacy Officer (DPO) is the key role in terms of privacy in your organization. This professional will have to report to highest possible level and has to have the appropriate resources. Whether this can be an internal or external role, it is key that the organization takes this role very seriously. Proofs of seriousness should include independence (the DPO should not have professional interests against the citizen’s interests – for instance, nominating someone from marketing would be a bad idea), internal capacity (the DPO should operate within a pre-set frame that should facilitate this professional to be truly listened) and preparation (the DPO should be a senior person – nominating a professional that is in their early career stages would be a bad approach too).
6.- Define your privacy strategy
Some of the strategy issues have been mentioned already. For instance, the fact that your DPO will be a key part of it or the fact that you have to have the right processes in place.
However, defining a rock-solid strategy has to go far beyond this couple of elements. Starting by your strategy goals seems a good idea. The first and foremost goal should be protecting UE citizens. Then, some suggestions might include raising your brand’s profile so it’s known by its privacy respect, or, protect your organization in front of privacy bad practices, and, ultimately, fine risks. We would suggest that within your processes, you put in place evidence saving, periodical Privacy Impact Assessments (PIAs, that include risk analysis), and state-of-the-art reports.
Finally, it is obvious that the GDPR represents a huge leap in terms of company behaviour. It obviously raises issues in terms of legal certainty and company protection. In fact, we will need to wait for some court sentences to create precedent. What we know now and what should be strongly realised is that the European Commission encourages companies to understand the importance of data protection and asks them to raise the bar.