Clearly, the folks in Tech had a lot to look forward to the last weekend. I wish I could say it was just the long Memorial Day weekend, but No. The regulatory requirement for companies doing business in the EU, called GDPR, just went live on Friday, May 25th. As the dust settles with companies setting in place processes, I thought I’d share my thoughts on this topic of the moment.
Why is it so important to be prepared for GDPR compliance?
The simplest way to look at this — Up to 20M Euro (or 4% of annual global revenue turnover) in penalties is reason enough to be prepared for GDPR compliance. I have even seen some discussion of possible bug bounties within companies to help proactively detect non-compliance processes and technologies.
No matter what your view is on this regulation, this is the reality of digital economy we are in today. Let’s not think of GDPR as something that is only pertinent to EU — this is an initiative every company who aspires to be a digital business must address — now or very very soon.
What responsibilities will companies have under this new regulation?
As SAP is getting ready for our major customer event, SAPPHIRE NOW in one week, at Orlando, I for one am very glad that SAP has chosen to implement extreme rigor to look at every single business processes and technology used in the event that related to capture, usage, and integration of personal data & attendee interests at the events.
While there are a lot of responsibilities that companies will have to comply with GDPR, here’s what I think the top three are in my opinion,
Valid and Verifiable Consents — At a very granular and time-bound level, in plain language, with right to revoke.
Data Protection by Design and Default — Only personal data that is required for that specific purpose will be processed.
Data Protection Impact Assessment (DPIA) — mandatory for companies to identify, understand, and mitigate any risks when developing new solutions or activities that involve the processing of customer data, such as data analytics and all data-driven applications, including BI, data warehouses, data lakes, and marketing applications.
Source: GDPR Coalition
What are the implications of GDPR? What kind of business data does is it applicable for?
According to a blog post by CSO, the types of data that GDPR attempts to protect are:
· Basic identity information such as name, address and ID numbers
· Web data such as location, IP address, cookie data and RFID tags
· Health and genetic data
· Biometric data
· Racial or ethnic data
· Political opinions
· Sexual orientation
What rights will individuals have under GDPR?
The individuals, both citizens and otherwise, who reside within the European Union are entitled to the following rights, when it comes to the protection and privacy of their data,
- The Right to be Informed — Complete transparency from the company with details on how they are using an individual’s personal data
- The Right of Access — Individuals must have access to information on what information about them is stored and how it will be processed
- The Right to Rectification — The company must rectify inaccurate or incorrect personal data within one month of the individual’s request
- The Right to be Forgotten — The company must comply with the individual’s request to have all of their personal data deleted, without the need for a specific reason, at any time
- The Right to Restrict Processing — The individual has the right to block or suppress a company from processing his/her personal data
- The Right to Data Portability — Provides the right of safely and securely copy, move or transfer their personal data from one IT environment to another
- The Right to Object — Individuals have the right to object to their personal data being used for the purpose of direct marketing, scientific and historical research, etc.
- Rights relating to Automated Decision Making and Profiling — Individuals can object becoming a subject to a decision made based on automated processing or their personal attributes, especially if it has a legal implication on them
Source: GDPR Coalition
Does being GDPR-compliant provide any benefit to the company?
I understand that most companies seem to think that becoming GDPR-compliant is a painfully expensive and time-consuming process. However, there are quite a few advantages to GDPR in the long run for companies.
The three key advantages are,
- Raise Our Business Reputation from the Masses & Increase Customer Loyalty
It is time we in the business world to figure out how to do digital business with digital responsibility. This is smart business and will help differentiate our brand the better we are at it. Businesses these days are global (digital businesses are just faster and more automated), and management of privacy, data security, protection, consent should be part of our digital fabric we design into the business processes and models, and not afterthoughts.
GDPR is just a forcing factor towards giving people more control over their data — such as usage of it, time duration of its use, and notification of breaches when it occurs, within 72 hours. We can all see the negative impact of another Cambridge Analytica or government entities that abuse and misuse personal data. And these are clear hurdles in the digital economies that must be addressed to foster faster and better business growth.
2. Better Decision Making, Better ROI on Data projects, and Better Personalized Services for Customers
With GDPR, data will become more consolidated and accurate. Redundant, Obsolete, Trivial Data can/should be eliminated. Additionally, given the requirement to receive explicit consent before use, and the need to delete some data after certain time or purpose being met, I hope we see big ROI improvement for Data Analytics projects going forward, as opposed to 70%+ of Hadoop data lakes are still disconnected from business processes and failed in its promised business value, according to many analyst firms.
Also, as both company and customers are more clear on how the data would be used, this should also help identify areas where customer needs are not met and businesses can take much proactive and personalized action to deepen their customer experience & loyalty.
3. Reduced IT Maintenance Costs
Another side of accurate data maintenance and customer consent is the opportunity to reduce IT costs further by retiring any legacy data software and/or applications that are no longer relevant nor compliant. You can keep them in archive and save the on-going operational costs.