The European Union’s General Data Protection Regulation (GDPR) went into effect on May 25, 2018, and it affects all businesses that collect and store data from residents of EU states. GDPR requirements govern data collected regardless of where it is gathered or stored; as a result, the nature of customer communications will change with this new ruling.
Data in Context
The GDPR governs data collection, export, and deletion, and individuals are able to request a copy of collected data. The right to request a copy of collected data and the right to have this data removed are two important aspects of the regulation.
The requirement to allow export and deletion presents a challenge for many organizations, since data collection is generally passive for consumers and occurs at all stages of the sales or support funnel. For example, consumers may interact with a variety of platforms or sales/support agents. Personally identifiable information is provided directly by individuals and observed by software such as web browsers, live chat systems, or social media platforms throughout the customer journey.
The context around a conversation is important for determining what data is eligible for deletion once it is no longer needed. Some data must be retained by law, while other data can be removed. Determining which content meets the criteria for deletion can be difficult without first reviewing the context of the conversation.
Reconstructing conversations with context is possible when conversation data is stored with original context intact. In these instances, the context allows it to be accessed for redaction and deletion without the need for additional programming. Some organizations store user events in a way that allows customers to access and audit data related to their accounts.
GDPR Requirements and Compliance Opportunities
In a culture where sharing data has become routine, the shift in data management responsibilities can seem like an opposing force that prevents usual day-to-day business functions. However, GDPR compliance can be an opportunity to improve overall customer communications.
Businesses working through digital transformation projects can plan for GDPR compliance at the start of a project, rather than reworking it to meet requirements after launch. This approach has the advantage of bringing together all departments interacting with prospect or customer data from the project’s genesis to ensure all touch points comply with every aspect of the GDPR.
Cleaner data can give marketing teams an opportunity to better focus efforts by contacting active users who are most interested in hearing from them and who have expressed that desire. The requirement to provide customers the ability to expressly opt into receiving communications can provide an avenue for better message targeting. And the requirement to allow erasure and export can be seen as an opportunity to further clarify existing storage and collection methods that benefit customers as well. Organizations can consider adopting communications platforms that provide the ability to choose data redaction options, including several automated removal settings.
GDPR requirements govern existing data collected prior to May 25, 2018, as well as newly acquired data. Clarifying data collection and storage routines can help improve overall data quality, and culling through existing data can be beneficial for more than just GDPR compliance. Cleaning and organizing existing data to remove duplicates and other errors can bring significant improvements in overall customer communications. Additionally, outdated data could be costing businesses more than anticipated in terms of marketing cost and data storage.
Anticipated Versus Actual GDPR Readiness
Regulatory requirements aren’t quite a forgotten aspect of digital transformation, but they do tend to rank lower than other initiatives. Heavily regulated industries such as finance are in a better position to comply, whereas other industries may struggle to bring systems and processes up to date.
According to a Forrester report titled “The State of GDPR Readiness,” 30 percent of organizations believe they are compliant. The report’s research shows these companies may be overestimating their actual preparedness, detailing how firms taking a piecemeal approach to compliance will most likely need to revise and refine their plans now that GDPR enforcement has begun.
The retail industry in particular may continue lagging behind other industries. As of May 2017, a report by Compuware reported that 77 percent of retailers were not yet GDPR compliant. In this report, IT complexity was frequently cited as a hindrance to ongoing compliance efforts.
Forrester recommends building a framework to achieve and maintain GDPR compliance. Developing a strategy that aligns business objectives with GDPR requirements across systems, people, and governance is key. Involving all appropriate teams early in the process is also recommended. Selecting compliance management solutions that integrate with existing systems can ease the audit and continual improvement process. Consider a solution that allows users to build SIEM-capable services and alerts into systems.
GDPR Implementation Challenges
Implementing processes and technology to manage data falls on IT. However, reliance on IT alone to enact all aspects of GDPR compliance may not be the best option since data collection is performed by multiple business units throughout the customer lifecycle.
IT can deploy technology, but the responsibility to maintain proper collection and retention methods is an ongoing process that falls across departments. It’s therefore important for there to be granular access control for machines and staff to ensure only approved viewers see data based on assigned roles. Audits provide insight into who accessed records and when.
Connecting with customers and remaining compliant with the EU General Data Protection Regulation need not be mutually exclusive. While compliance may seem daunting at first, there are many long-term benefits across business functions.