By Duncan Hendy
We are on the brink of a mega shake-up of data privacy rules – one that has caused a tsunami of stress and panic among businesses and organisations, all struggling to become compliant with the new General Data Protection Regulation in time for its May 25th deadline. GDPR will bite – very soon and very hard, but although there are plenty of negatives to be aware of, there are also many positives, says Duncan Hendy, citing an enhanced customer relationship as the ultimate reason for ensuring your database is squeaky-GDPR-clean.
GPDR will hit the scene this month and, if you’re not ready, your company could be getting into hot water — very, very hot water! Companies of all sizes worldwide have been preparing themselves for the biggest shake-up of personal data privacy rules since the internet was born. If you’ve got an extra €20m to spend on GDPR noncompliance, then there’s no reason to panic. If not . . . it’s about time you did.
The Breach Level Index recently released by Gemalto revealed that the number of records stolen, lost or exposed worldwide in 2017 soared 88% in one year to 2.6 billion. The year saw 1,765 data breaches, of which 69% were identity theft.
Telecommunications company TalkTalk’s €460,000 fine in 2016 for security flaws that allowed hackers access to customer data, would potentially be an eye-watering £59m post-GDPR.
According to the GDPR powers-that-be, we’ve had two years to get ready, and the deadline of May 25, 2018 is absolute.
If this doesn’t scare you, it should.
The death of data-driven marketing?
Regardless of location, companies must become proactive in developing provably compliant procedures for handling EU customer personal data and be able to respond agilely to customer rights.
In case you’ve been sleeping for the past two years, here’s what you’ve missed: You must obtain verified consent (by way of double opt-in) for each specific use of an individual’s data and have done so for your current database should you wish to hold onto its data. When an individual asks to see what information you hold, to have it updated, to restrict your usage of it, to have it sent to a third party or themselves, or even to have it completely erased (from all parts of the organisation), you must be able to comply in a timely fashion (around 30 days, shortening to 72 hours if it’s in response to a data breach).
In short: not quite the death of marketing as we know it, but another series of hoops that marketers must jump through.
GDPR compliance: the new business swear word
Compliance will likely mean a complete overhaul of your current systems and processes to ensure the individual is back in charge of their own data. And, as the responsibility of protecting it is shared with third parties who process the data on your behalf, like hosting providers, cloud service providers and data processing firms, you can be held accountable for theirnoncompliance.
A survey conducted by Alert Logic found that 32% of EU-based companies expect significant changes to their security practices and technologies, the biggest challenges to compliance being lack of budget (50%), lack of in-house IT expertise (48%) and limited understanding of the regulations (37%).
A Pulse Survey into the GDPR preparedness of companies (July 2017) found that despite 93% of companies having started preparations, 36% of them only started mid-2017, and only 11% were actually ready. Of those compliant, 88% spent more than $1 million, of which 40% spent in excess of $10 million.
Those ready ahead of time are already using the fact as a differentiator, highlighting early compliance to help drive a competitive advantage. The 89% still not ready risk regulator fines, litigation costs and lost opportunities in Europe.
Flybe (airline) was fined £70,000 in August 2016 for (presumably accidentally) sending an email to their opted-out 3.3 million-strong database about whether their details were correct.
JD Wetherspoon (pub company) took the unprecedented step of deleting their entire email marketing database of more than 650,000 email addresses. Scary, but safe.
Despite the Symantec’s State of European Privacy Report finding that only 14% of businesses believe everyone in the organisation is responsible for ensuring the protection of data, GDPR is a companywide issue and it’s got to be all heads in gear and all hands on deck.
Is your CMS GDPR ready? You’re going to need all the help you can get
Your content management system (CMS) is an essential component of your GDPR success, so it’s important that it itself is GDPR ready and actively assists you in all compliance-related matters.
It should be able to handle multiple purpose-specific consents for each user and bind them to related features and modules, automatically recognising whether consent for a current activity has been obtained.
It should also simplify life with easy double opt-in validation models that automatically send verification emails and validate consent. As the GDPR requirements of each company will be unique, your CMS should be completely customisable to your specific consent and management needs.
It should store all personal data in one place (preferably its own CRM) and enable quick access to those in your company who need to respond to individuals’ update requests. A complete history of consent should also be easily available for proof when required. When a user wishes to see the information you hold about them or share it with a third party, your CMS should enable you to export and send it to them in a machine-readable format, as required by the regulation.
When a user invokes their ‘right to be forgotten’, your software should not only make this simple, but also be able to recognise which information (if any) is exempt. It should send and log notifications to all relevant third parties to inform them of the deletion request. According to Symantec, 60% of businesses do not have the systems in place to respond to such requests.
Data flow mapping will be important in getting a clear view of your privacy risks and workflow capabilities will be indispensable in managing the extensive related documentation. Reporting features that outline what data is where will also prove invaluable as your opted-in database grows. As well as who can access it — your CMS should offer user permission management with granular permission levels that has sophisticated user authentication and tracking.
And if you really haven’t started yet . . . consider cloud-based solutions which get you moving faster.
GDPR will bite – but is it all doom and gloom?
Though May 25 feels like an impending marketing apocalypse, GPDR compliance can bring some surprising benefits to your company, its processes and your users.
Companies are likely to have to change how they operate, which can drastically improve data management, company systems and internal processes. Communication between departments is likely to improve. Better co-operation between Marketing and Sales can mean a better customer experience and deals closed sooner.
Getting people on your database to re-consent won’t be fun or easy, but spring-cleaning never is. However, the result is a breath of fresh air. Although you’ll have less data to work with, the data you do hold will be more reliable and relevant. You can reap greater value from your smaller audience as they are already listening and can be turned more easily into quality leads, with higher click-through rates and increased sales.
And, of course, the most important part of GDPR compliance: respect for your customer’s personal information and responsible handling of their data breeds trust. You can’t buy trust — even if you have that extra €20m to spend!
If you’re scared half to death about the scale of changes that have to happen in your organisation and the size of the penalty for noncompliance, it’s not misplaced. But focus on why this whole thing came about in the first place; the customer wishes it. And you know that a happy customer is a happy business. Put their interests at the heart of your efforts, get your systems in order and you’ve nothing to fear – a bit of hard work now will avoid a nasty GDPR bite later.
DISCLAIMER: All data and information provided in this article are for informational purposes only. Kentico makes no representations as to the accuracy, completeness, currentness, suitability, or validity of any information contained herein. We recommend consulting with a lawyer for any legal advice pertaining to GDPR compliance.
Have an opinion on this article? Please join in the discussion: the GMA is a community of data driven marketers and YOUR opinion counts.
Author: Duncan Hendy
Content strategy manager at Kentico Software | www.kentico.com
Originally from the UK, Duncan Hendy is content strategy manager at Kentico Software in Brno, the Czech Republic. When not working, he composes classical music, including for the Brno Filharmonie for Mendel: The Legacy, broadcast in 19 countries. He is also the author of several books