The General Data Protection Regulation (GDPR) is a hot topic. Going into effect May 25, 2018 in the European Union, the regulation will greatly change the way companies must handle the personal data they collect. In May, consumers will have substantial and powerful control over how organizations collect and use information about them, with potentially massive penalties for violation. The severity of this regulation should not be ignored or taken lightly for any brand, including US brands with a global footprint.
What is it exactly?
The GDPR replaces the Data Protection Directive and as a “Regulation” rather than a “Directive” the GDPR creates a single overarching set of rules to be implemented by all EU member states. The GDPR gives consumers the right to access and change the way companies are collecting data about them. The major components are:
- Right of Data Access and Right to Data Portability: When asked, a company must be able to confirm whether it is collecting personal data and provide that data to the consumer for viewing and/or in a portable format.
- Right to Data Rectification: A consumer may request the rectification of inaccurate or incomplete data.
- Right to be Forgotten: A brand must be able to quickly forget a consumer and confirm that data has been forgotten and will not be processed any longer.
- Right to Restrict Processing: A consumer can ask to have processing of their data halted.
- Right to Withdraw Consent: A consumer has the right to request only specific forms of contact from a brand - and can withdraw consent if it has previously been given.
So, how can you prepare?
The first step is to identify how and where personal data is collected and used. Personal Data often resides in multiple silos, such as your data warehouse, transaction data from POS systems, web and ecommerce activity and transactions, etc. It is also important to recognize how these systems share data with other systems and/or partners.
Spread awareness. The more aware your entire organization is of the GDPR, the easier it will be to have a combined and well-executed plan of attack. There’s a good chance that Personal Data is spread throughout many systems and may create an incomplete picture of each customer. As a result, it will take time to unify all data you’ve collected about each customer. This may spread through multiple departments who separately collect data about customers: for example - customer service representatives may have different information about the same customer as the loyalty and marketing teams.
Designate a data protection officer. Determine if the GDPR requires that your organization assign someone (or a team of people) the role of a Data Protection Officer. It is important to have this role to take responsibility to ensure your organization is prepared and executing a plan to be ready for the GDPR and for implementing a sound, lasting privacy program.
Unify customer data in one place for quick access. Customer data platforms (CDP) are in the hype phase - and for good reason. A CDP allows you to continue using systems you already have -- ecommerce platform, social tools, data warehouses, email service providers, point of sale systems -- by fitting into your current tech stack and acting as one central place where this data lives. When all information you’ve collected about a customer lives in one 360 degree profile, handling data privacy related requests becomes a manageable and documented process. The SessionM Platform will be releasing clear, powerful functionality which will allow brands to take action on GDPR requests quickly and effectively.
An added bonus - with a CDP, data is not locked away and managed by the IT department. With a sound CDP, the data protection officer can have real-time access to collected data on a client when a specific request comes through.