What does the EU General Data Protection Regulation (GDPR) mean for you and your customers? We already know non-compliance can mean huge fines, but how are some organisations turning the GDPR to their advantage? We sat down with Elliot Rose, PA digital expert, to learn more.
PA: What are the main concerns organisations raise when it comes to the GDPR?
Elliot: Organisations are worried about having the necessary mitigations in place by May 2018 (when the GDPR will come into force) to demonstrate compliance – a significant number have yet to start work on this. One of the key concerns is whether they’ll have the necessary legal basis (consents, legitimate interest, legal obligations etc) identified and that they have found all of the personal data within the organisations and across their supply chain and conducted the right level of mitigations. Many mistakenly believe it only applies to future data collection, but the GDPR covers all personal legacy data – some of which may be stored in very old and obsolete systems, and shared with former suppliers or third party data processors.
With the GDPR, all resident EU citizens will be able to ask organisations to delete any personal information that’s held on them. And not only that, organisations have to provide evidence they’ve complied with the request. Some banks I’m speaking to are worried they could get swamped with requests to delete personal data, especially in response to consumer activist groups, who may have a grievance against them – and the effects this information removal will have on their systems and business. Many businesses have inter-connected systems and deleting personal data may cause those systems to not function properly. In addition, the ability to cross sell (assuming the right consents were originally obtained) based on personal information would be compromised if data is removed.
Another area is risk profiling. If someone repeatedly applies for the loan and is denied, this is often recorded as part of risk profiling. But under GDPR, if that person requests their information to be deleted after each attempt, their past credit history could be compromised.
The GDPR is a game-changer. Learn how PA is helping clients make the most of this opportunity.
PA: We know some organisations are using the GDPR to their advantage. What’s the best example you’ve come across so far?
Elliot: The legislation is a great chance to get better insight into your customers. I recently spoke to the founder of a challenger bank who said they’ve developed a phone app that allows customers to change their privacy settings whenever they want. This means the customer is always in control over what information they’re sharing with the bank. This is a simple but effective way to build customers’ trust.
At the end of the day, who doesn’t want to have better relationships with its employees, stakeholders and employees? By taking the GDPR seriously, you have a real chance to show these groups just how much they value them and their personal data. In turn, it’ll help you build better brand loyalty.
PA: In practical terms, what do you recommend organisations start doing today to ensure they’re compliant?
Elliot: Given the fact that 30% of businesses are unaware of the GDPR and 45% haven’t started any assessments to determine their readiness, many really need to start work today. I urge you not to panic, but do a quick and rapid check of where you are against the regulation through a gap assessment. As a key first step many organisations are going back to review their fair processing notices and rewrite them to ensure they’re clear and concise.
You also need to start looking at your suppliers. Some of our clients are finding it very difficult to negotiate with their suppliers based outside the UK. The GDPR means organisations need to be able to audit suppliers to find out what they’re doing with personal data, but many are struggling to engage with suppliers for whom the UK (and EU) is only a small part of their business. You need to start focusing on suppliers now to ensure they’re ready for compliance, and also make the point they’re equally liable under the fines imposed for any breach.
Across the organisation, you should adopt a risk-based approach to prioritise business functions, processes, systems etc that have a close interaction with personal data. This will give you the required head start to determine and address the most relevant privacy risks that you face, and most importantly get the commitment from the business.