Will GDPR Redefine the Paradigms of Data-driven Marketing?
2018-05-23 | FMI | Technology
Implementation will not be easy. Or simple. Only one thing will matter – data privacy over data processing.
In less than 24 hours, the dynamics of mass consumer data collection will undergo a sea change. The General Data Protection Regulation (GDPR) – likely to come into effect on May 25 in the European Union – will dictate rules pertaining to corporate access to private consumer data, placing companies involved in the process of data gathering under the legal scanner. GDPR takes the mantle forward from the Data Protection Directive implemented in 1995 and regulates the export of data outside the European Union (EU) and the European Economic Area (EEA).
While this law specifically addresses data privacy concerns within the EU and the EEA, the ramifications will but obviously cross European borders, hugely impacting companies engaged in the business of data processing and analysis. What this means for data corporations in general – and research companies in particular – is that the consumer will now dictate terms on how critical personal data moves from one touch point to another; including whether it should move at all.
Taking Data Privacy to a Whole New Level
When GDPR comes into force, the consumer will become more powerful than ever before. Companies that ship tons of consumer data across the globe will now have to put in stringent regulations in place to safeguard their businesses from the legal aftermaths of GDPR non-compliance. The regulation dictates “express and freely given consumer consent” in the dissemination of any data and/or information pertaining to the individual, to companies requiring this data for further processing and analysis. Data analytics and market research companies will need to ensure 100% GDPR readiness if they wish to conduct their business in a smooth manner.
GDPR Compliance: What Companies Need to Know
May 25 is the official deadline for companies to register 100% GDPR compliance. Failure to abide by the norms prescribed by the GDPR can result in pecuniary penalties to the tune of Euro 10 Million or 4% of the non-compliant organization’s annual turnover whichever is higher. Consequences of data breach are even more severe – a penalty of Euro 20 Million or 4% of the non-compliant organization’s annual turnover whichever is higher. To ensure full compliance, corporations handling consumer data on a large scale on a daily basis need to deploy robust internal processes to ensure end-to-end security of data gathered from multiple channels. This means giving the consumer full control to access what personal data is being collected. Taking this one level deeper, GDPR mandates companies to provide an option to consumers to “opt out” from providing any such private information, which they are not willing to share publicly.
Are Organizations Really Ready for Compliance?
With the deadline for GDPR implementation looming large, companies are scrambling to build a foolproof plan to ensure total compliance. If recent reports are to be believed, neither the companies nor the regulators are fully ready for the implementation and even though social networking giant Facebook has recently announced 100% readiness by May 25, it is just part of a handful of companies globally that are ready for GDPR implementation at full throttle.
The main implementation concern rests on the mandatory requirement of “data subject access request” – wherein the regulation gives full rights to consumers to demand access for reviewing their personal information gathered by companies. And considering the extent of proliferation of data across the world, facilitating data review requests is not something companies are going to be able to manage easily. Then again, another GDPR law pertaining to data breach notification is likely to make companies extremely nervous. The regulation requires any data breach to be notified to the concerned data protection authority within 72 hours of detection. Failure to adhere to these two main mandates can result in companies being subject to strict legal action.
Creating a Plan of Action for GDPR Preparedness
At the very basic level, GDPR implementation entails the following key components every company has to incorporate into its data management protocol:
- Data consent: Companies should obtain express consumer consent before processing or transmitting personal data
- Data access rights: Companies will be obligated to share personal data with consumers in a prescribed format (electronic) free of charge
- Data breach notification: Companies should inform the Data Supervisory Authority of any breach that is likely to impinge consumer rights within 72 hours of identification of the breach
- Data deletion (right to data erasure): Companies are bound under this law to delete any such incorrect or incomplete data as specifically instructed by the consumer
- Data privacy: Companies need to adhere to stringent norms to ensure 100% protection of the consumer data at their disposal. Only minimal personal data as is required by the company to carry out its operations should be processed
- Data protection officer: Every company should appoint a dedicated data protection officer to closely monitor adherence to the regulations prescribed by the GDPR and maintain records of all company operations involving the gathering and dissemination of consumer data
Data governance can help companies tackle the compliance factor by incorporating critical best practices in the management of the consumer data they process on a daily basis. Organizations that are already taking the necessary measures to ensure the privacy of their consumer data will be at a vantage position when GDPR officially kicks in on May 25. While the debate on the effectiveness of this implementation continues to be a discussion point among certain industry groups, one thing is clear – no organization can escape this regulation once it comes into effect. True to its name, the primary goal of GDPR is to protect the privacy of the consumer and the sooner companies take cognizance of this fact, the better it would be for them to carry out consumer-friendly data mining activities.