Fines of up to €6 billion could be imposed on large companies holding consumer data, after the implementation of the GDPR regulation last month . The stakes are high as businesses will have to pay 4% of their annual global turnover or a €20 million fine if they experience a data breach. Wary of the huge fines, financial services firms have been holding their breath and amping up efforts to achieve compliance.
The concept behind GDPR is not new and has been around for approximately 20 years. Regulation surrounding data protection started with the original data protection directive which then paved the way for the data protection act in the late 90s. However, compliance with these regulations has always been on the back burner.
When approaching GDPR, some firms have simply adopted a check-list attitude, treating GDPR compliance as a certificate and looking to check off the minimum compliance needed to avoid fines in the quickest way possible. However, the right approach is a more long term, sustainable one. This involves re-analysing the vision for the use of personal data in the future, whether employee or customer, and tailoring processes to ensure true insights are captured from data, while maintaining ongoing compliance.
Additionally, GDPR cements the value of data as the world's most valuable resource, surpassing oil. Although abundant in existence, data offers great power to organisations looking to offer bespoke customer experience. The concept of 'B2C' has become more about 'B2Me'; it is becoming increasingly imperative to offer a tailored and bespoke customer experience. Now, however, while handling this customer data, organisations have to also be extremely careful about compliance to regulations, including GDPR.
The first step when approaching compliance would be to ensure that all customer data is being properly maintained. Under GDPR, records need to be kept on all customer personal data held including where it came from and who it is shared with. Looking into record-keeping procedures will allow organisations to reflect on procedures for data processing, and assess whether or not they are compliant with the new regulation. GDPR also gives organisations the opportunity to find out how customer interactions are linked to data processing and ensuring that all the data touch points are compliant with the regulations.
Ensuring compliance is only as useful as your ability to prove you are compliant. If regulators want access to see how you manage the compliance process, you have to be able to demonstrate due diligence and that all the people who need to be involved have visibility of processes. It is not unheard of for regulators to fine companies who are unable to demonstrate compliance, even if they are actually compliant. The proliferation of data makes it near impossible to keep track of data flows manually.
Many companies are therefore turning to technology to map out processes to see where the data is, how it is being used and to understand the risks and controls in place. This also ensures the most efficient and effective means of ensuring the process becomes part of 'business as usual'. Automating clear documentation of the processes removes the margin for error, significantly reducing the likelihood of non-compliant behaviour and makes certain that the decision-making process is tracked and approvals are recorded appropriately.
It is imperative to understand the key provisions of GDPR to prepare for the challenges ahead. Once understood, these provisions can be broken down into manageable steps to ensure a business is best-placed to thrive under the new data protection requirements across the EU. There also needs to be a change of mind-set within organisations, with members of staff engaged every step of the way. This is not solely restricted to the C-suite of a company or a designated data protection officer, but should trickle down to any staff member directly handling client data.
Lastly, in the event of a personal data breach, data controllers must notify their relevant supervisory authority within 72 hours, with a failure to notify resulting in fines of up to £10 million. Fines in response to data breaches have increased drastically over the last few years. According to numbers released by PwC, the amount businesses have been fined has increased by almost £1m in comparison to the previous year and is expected to rise exponentially after GDPR implementation. Clearly, time is of the essence. To ensure maximum efficiency at the time of a breach, a violation response needs to be modelled in advance, with step-by-step guidance for employees to act quickly and aptly.
Compliance to GDPR requires a holistic approach, connecting the dots between customer experience and operations. It comes down to a two-pronged approach. Firstly, businesses need to align their business processes with the customer journey as they map out existing processes to embed regulatory compliance in their systems. Secondly, visibility has to be ensured within an organisation, with all employees adopting a collaborative approach towards the matter.
Dr. Gero Decker is CEO of Signavio