Supply was once governing demand. A century ago, car buyers would rush to place an order on a standardized black and boring Ford T. And wait a few years before delivery!
Nowadays, consumers have become more diversified as well as more demanding in terms of personalization. Businesses simply cannot afford not to adopt a customer-centric approach. And in this struggle, data is the sinew of war.
Data is the new sinew of war
Customer information instructs companies on every aspect of Marketing:
- Communicating with the target audience
- Designing the product
- Delivering the product
Data is gold and every piece of it can be exploited in order to gain useful insights. However, if such a trend has reversal benefits to the consumer, it’s not without having some concern in regards to privacy.
Beginning of the year 2015, the European Commission conducted a Data Protection survey across the 28 EU members. The results were striking. As it looks like, 7 out of 10 EU citizens are:
- Concerned about the fact that “Authorities and private companies holding information about them may sometimes use it for a different purpose than the one it was collected for, without informing them (for direct marketing, targeted online advertising, profiling)”
- Reluctant to “provide personal information in return for free services online”
More inquiring is the lack of trust towards tech companies. When it comes to data exploitation, 67% of the respondents are wary of mobile service companies and internet services providers. The figure increases to 76% when it comes to online businesses (search engines, social networks, various email services). As a matter of fact, TMT (Telecommunication – Media – Technology) companies have been massively collecting personal data in pursuance of tailoring their offerings. Sometimes to the detriment of confidentiality.
Several security breaches – WannaCry being the most recent and serious one – urged the EU administration to set rapidly new legislation to protect customer data. Such initiative is supported by a majority of EU citizens (45%) who believe that “enforcement of the rules on personal data protection should be dealt at European level”.
GDPR comes to life
When & Where? The General Data Protection Regulation – or GDPR – was adopted by the European Parliament in April 2016 and will be effective as soon as May 2018 in the whole European Union, including the United Kingdom.
What? The set of rules ought to replace the previous European data protection initiative (1995). The GDPR will provide more complete and demanding rules in regards to how consumer data should be used and protected.
Who? The new legislation will apply to public sector agencies and companies processing personal data for commercial purposes, on the European soil. But not only. Any organization processing data belonging to EU citizens will have to comply with the GDPR. This will impact in particular global Internet-based business models for which borders hardly exist.
As a consequence, the new legislation will be redefining the rights and liabilities of the main actors in data exploitation:
- The data subject is a living individual that can be identified by personal data (customers, employees, etc.).
- On the other hand, the data controller collects the data and decides on how it is processed.
- Finally, the data processor uses the data provided by the data controller for specific purposes.
You will have a clearer idea of how the three actors interact hereunder:
How will the GDPR impact tech and other businesses?
The GDPR updates and adds more requirements in regards to the 1995 data protection directive. This makes the new regulation more demanding than any other legislation of this kind. The market research cabinet Vanson Bourne interviewed 300 European IT Professionals from businesses with over 1,000 employees. Close to 7 respondents out of 10 consider that the new framework “will affect their businesses” (68%) and that the “need to invest in new technologies or services” (69%) could turn up to be a “financial burden” (68%).
Consent is one of the major developments of the GDPR. Silence or inactivity cannot be interpreted any longer as an acceptation. The consent of the data subject will involve a free and clear affirmative action. At the same time, the decision will have to rely on detailed and unambiguous information.
Let’s take a look at this example:
BH Inc., a media corporation, tracks its visitors on its website in order to improve the User Experience. It involves pieces of data such as visited pages, clicked buttons and so on. This was previously done without any user consent. From May 2018, BH Inc. will somehow have to find a way to express permission to do so as soon as the visitor enters its website while stating for what purpose the information is used for. This is most commonly known as the classic “Cookie Consent”.
Many opt-out methods (that assume that users agree on a subscription without explicit consent) used by BH Inc.’s marketers will no longer be legal under the GDPR. For instance, if a user subscribes to a newsletter, any pre-ticked box for an additional subscription cannot be permitted.
2. Breach Notification
Unfortunately, data controllers and processors can sometimes undergo a security breach involving compromised confidentiality, especially if personal data is stolen. In this case, the organization must report the breach in the next 72 hours. Won’t make things much better for users but better to know, right?
The WannaCry attack involved personal data being stolen with a ransom demanded in exchange. If BH Inc. happened to be affected by it, it would have had to report the security hole 3 days maximum after the intrusion.
3. Right to Access
For any user for whom you detain personal data, you are to provide for free:
- All the information that you hold on the user
- How it is processed
- Where it is processed
- What purpose does it serve
As for now, depending on the country, companies can request a fee for providing these details.
4. Right to Erasure
A business can have no valid reason to keep on processing the personal data belonging to a user. The latter can, therefore, ask for it to be deleted from all storage equipment.
Here is an example:
John subscribed to a weekly newsletter released by BH Inc. To this extent, he had entered personal data such as name, age, gender, email and job position. A few months later, John decides to unsubscribe. He can request all the data that he provided the medium with to be deleted as it no longer needs it. This is also famously known as “the right to be forgotten”.
5. Privacy by Design (or Privacy by Default)
Privacy by design involves companies to take all the appropriate technical and organizational measures in order to ensure data protection a priori. That will imply for organizations to consider and elaborate data protection processes before proceeding to any data collection. So think twice!
So, as an example:
BH Inc. decides to offer a subscription for exclusive content on its website. As a consequence, prior to the launching of its new offer, the company has to elaborate appropriate mechanisms in order to ensure that the GDPR requirements mentioned above are executed.
6. Data Protection Officers
With over 250 employees, companies processing data are ought to appoint a DPO or Data Protection Officer. Obviously, such position implies solid expertise when it comes to data protection practices and legal framework. Not to mention that DPOs will directly report to top management.
True, many startups and tech business are SME’s with a number of workers that does not exceed the GDPR threshold. Nonetheless, if processing data is a core activity, appointing a DPO (that can have additional responsibilities) is 100% relevant.
BH Inc. outsources its customer support to Aegon Corp. The latter becomes a data processor as it stores and uses the customer data provided by BH Inc. Aegon Corp has under 250 employees but it processes data of other clients. The organization decided to appoint Sarah, the current CTO, as a DPO. She will be in particular:
- Checking that Aegon Corp.’s data processing complies with the GDPR on a regular basis
- Coordinating the implementation of new internal processes that comply with the GDPR
- Raising awareness among the staff and train it accordingly to the data protection requirements
- Becoming the main point of contact for any regulatory authority.
7. Sensitive Personal Data
Some specific pieces of personal data are more delicate to deal with because of their sensitive nature. This data subcategory has to be treated with extra care by the data processors. For instance, organizations can only request it if it safeguards user’s vital interests. In addition, such pieces of information can only be required in the framework of legal procedures. As of today, Sensitive Personal Data encompasses:
- Health records
- Religious affiliations
- Racial/ethnic origin
- Political opinion
- Trade union membership
- Physical/mental health
- Sexual life
From May 2018, it will include a new category: genetic and biometric data.
Non-compliance with the GDPR can end with fines of 20 million euros or 4% turnover. That’s perhaps the strongest incentive to abide by the new regulation as it is not exactly a small amount for startups or any organization. Nevertheless, a survey conducted by Varonis states that 75% of the organizations are struggling to meet the deadline.
This is why you should get ready NOW, so here go a few hints:
- Appoint someone that will be responsible for complying with data protection requirements
- Identify the activities that involve processing data and analyze compliance
- Set up all required internal processes that will allow your business to comply with the legal framework
- Keep yourself updated of any new data regulation and observe scrupulously the internal procedures
Building a Competitive Advantage
However constraining the GDPR can appear, you might realize eventually that you can use it as a competitive advantage. Yes!
We mentioned at the beginning how distrustful EU citizens are in regards to tech businesses when it comes to processing personal data. The GDPR is an opportunity to re-establish a relationship of trust with our EU customers. Plus, full transparency can actually be an incentive for individuals to share their data more easily. So more than ever, companies will be able to keep on studying behaviors and adapt their value proposition.