How the GDPR will affect your company
The EU General Data Protection Regulation (GDPR), which becomes enforceable on 28 May 2018, is giving many companies sleepless nights. This is not surprising, since the GDPR creates a lot of compliance issues as well as strategic implications for firms operating in many industries.
The situation is even more critical because the regulator has taken a strict stance and non-compliance with the GDPR can result in penalties of up to 4% of global turnover – or 20 million euros, whichever is greater.
The first major change is that companies processing data can be sure that they will have less information available. Data consent conditions have been strengthened and many customers will become more careful when deciding what to share. Especially since the GDPR will require data controllers and processors to explicitly state the purpose of gathering each piece of data.
Due to these changes, businesses will have to emphasise their reliability in communication with clients. The importance of reputation will increase – also for companies which are not selling directly to the end consumer, since big data owners will also choose data processers based on their privacy track record.
Another consequence of this regulation might be the need for a new kind of customer segmentation based on their approach to privacy-related solutions. Many customers will be ready to resign from some part of the service in order to share smaller amounts of personal data. On the other hand, some of them will still be willing to give more consent and receive more sophisticated service in return. As a result, different campaigns and channels should be applied. Moreover, data processers will have to react to this part of the regulation by dividing their complex solutions into smaller ones. Therefore, they could use portions of data separately which they are currently only able to use jointly.
Under the GDPR, customers will also be given much more rights when it comes to accessing the data concerning them. At any time, they will be able to demand a detailed report on how their data is being used and for what purpose. This means companies will need to modify the existing data export tools so that they produce readouts in a legible format and, in general, make their systems more user-friendly. Receiving more customer requests might also require changes in firms’ organisational structure. Firms will have to be prepared for more customer interaction and should plan such impacts in advance.
There are also important changes related to safety measures. Data breaches will have to be reported within 72 hours and, to limit their impact, customer data will have to be pseudonymised. These measures are necessary so that personal data cannot be attributed to a specific subject without the use of additional information which is kept separately. Therefore, additional financial and organisational resources will have to be put up to ensure that data systems are secure enough.
Companies should be prepared for the regulations of the new EU directive with holistic strategic responses. In this context, it will be paramount for companies to focus even more on clients’ needs, offer them specific solutions for the upcoming issues and align the organisation accordingly.