The General Data Protection Regulation (GDPR) is now in force. Regardless of where you live, you’ve probably received your fair share of emails from companies telling you how they’re going to comply with the new regulation and, most likely, asking for your permission to continue using the information they’ve collected about you over the years. Even the Rolling Stones and Cher have sent out messages to their mailing lists.
If you’re a vendor who’s been collecting information about your customers over the years, the immediate challenge may be more than a mere nuisance. The last thing you need is regulators showing up at your front door, demanding to know if and how you’re in compliance with the rules.
It doesn’t matter where you’re based; companies around the world have to comply with GDPR’s rules because virtually every firm of any size has customers or employees in EU countries. Even American and Asian firms are trying to ensure they’re complying with the new European requirements, in addition to established privacy rules such as HIPAA and Sarbanes Oxley. This is true, regardless of vertical industry. Companies in the financial services, utilities, retail, transportation, insurance, health care and manufacturing industries are all affected.
Many U.S.-based firms have decided to comply with GDPR, even for their American customers; it’s easier to implement one set of privacy rules worldwide, rather than set up geographically based rules. It frees them from any worry about customers who may slip through the cracks, leaving them open to potential violations.
Too many firms see GDPR as potentially penalizing them. In contrast, you can involve leaders throughout your organization, from the chief data officer (CDO) to the data governance team, and urge them to think of GDPR as an opportunity that can pay dividends to those who actively embrace its goals. For instance:
• You should regard GDPR as a strategic enabler for your firm, instead of merely foisting it off on your IT staff as another problem to solve.
• You may decide it’s more trouble to keep all of the data currently under your control. As part of your GDPR compliance, you can think of this as a chance to really focus on the customers that mean the most to your business. Engage with them, ask for permission to keep their data and keep the conversation going with them.
• Once customers give permission to use their data, dig in to understand them. These are the people and companies that truly want to hear from you. Don’t let them down. The flip side, of course, is that GDPR will require you to be far more solicitous and understanding of your customers. If they don’t perceive value from maintaining a relationship with you, they’ll be quick to click the “delete” button.
Even those opportunities may represent a significant challenge to companies. The data that firms collect resides worldwide, in multiple locations. CDOs need to ensure the data they’re charged with safeguarding has been accounted for in all its forms, regardless of where it is stored. The data under your stewardship will continue to grow, along with your business. If you expand into new locations, you’ll be responsible for expanding your monitoring efforts for the data these sites generate.
This gives rise to another potential challenge: ensuring that you have a firm handle on where multiple copies of the same data are located throughout your firm. You may delete a customer’s personal information from your servers in London, but if a copy exists on another server in New York, you’re violating GDPR rules and are open to penalty. Discovering where all of your data resides is key to your future compliance and success.
So, how can companies ensure they are doing their best to meet the regulations?
• Regardless of where you’re located, appoint a chief data officer with the authority to do a deep dive into your company’s data. The CDO should be able to determine where the data exists, in what forms and what policies and procedures are being implemented to comply with all of the regulations.
• Continually monitor the regulations. Britain has implemented an upgraded Data Protection Act — its version of GDPR — that will be in force even after Brexit. In several respects, it’s even more all-encompassing than GDPR. And that’s the point: Expect that the authorities will strengthen the rules over time as they deem necessary. Compliance today does not automatically mean compliance tomorrow.
Implement new technologies to help you get a handle on your data. You want to be able to track down where the data resides and help ensure the rules that govern its use are accurate and are being consistently deployed.
Put another way, which even the Rolling Stones would appreciate, companies that aggressively embrace GDPR will succeed in the long run. They will be able to state with total confidence that “Time is on My Side.”
