Skip to content


  • Add this article to your LinkedIn page
  • Add this article to your Twitter feed
  • Add this article to your Facebook page
  • Email this article
  • View or print a PDF of this page
  • Share further
  • Add this article to your Pinterest board
  • Add this article to your Google page
  • Share this article on Reddit
  • Share this article on StumbleUpon
  • Bookmark this page

When regulation gives value

Read the full article in Danish here.

Many organisations are still struggling to comply with the new General Data Protection Regulation (GDPR). It has been a tough time for most, and now that a large part of the work is over, it's time to take stock. Some companies see major business challenges and disadvantages in compliance with the regulation, which potentially sets a rigid framework for data work and restricts development activities.

But where management has taken the challenge seriously and put the GDPR high on the agenda, the work has strengthened the organisation on several key issues.

Restrictions allow for greater customer loyalty 

In a world where data is increasingly becoming an asset for businesses, the purpose of GDPR is to give individuals greater control of how their personal information is used and secure their existing rights. Simply put, what personal information does the company have about you, how do they use it and have you given your consent?

In our work with GDPR, we have seen companies that have reviewed their customer relationships - not least regarding the requirement of consent and the right to be forgotten.

The requirement for consent is seen by some companies as a severe restriction on their business. However, we have also seen that the change can give companies a reason to find out what their customers' real needs and interests are.

Achieving a well-defined customer relationship through new and improved ways of managing data can prove to be beneficial to both parties and further enhance customer loyalty. Businesses simply become better at doing what matters to customers. 

In addition to reviewing customer relationships, the companies relate to business partners and suppliers, and what value they really make for the business.

For some companies, it is easy and clear what role partners play - whether they are data users or data administrators. In other cases, it has required longer discussions about the roles and clarification of who decides what data is collected and who processes data. The role defines the responsibility of the customer's data and thus compliance with the law. Specifically, it has led to reconsiderations and priorities of some companies as to which partners are crucial to the business. This has led to strategic choices.

Mapping workflows and processes has given overview and transparency 

The regulation affects large parts of organisations because data about customers, collaborators and employees is everywhere. This requires, among other things, companies to have transparent access to data and a clear overview of their data streams.

Prior to GDPR, departments and employees did not consider data security carefully in their daily work. Today, individual departments must think about how they work with personal data and ensure data protection and security guidelines are met.

This has led to another, much greater exercise in mapping and aligning internal workflows, processes and structures. It has been a tough period in many places, but once the work is done, companies and organisations are experiencing benefits. It has become clearer what happens in all departments, with functions exposing their workflows more accurately. This work has also provided insight into which tasks use personal data, why, and who is responsible for them. It has been a true eye opener to many people.

The process of mapping personal data is giving many organisations a complete overview of all processes in the business in great degree of detail. This overview uncovers insights into what can be done better and smarter in the future. And it's a unique opportunity to look for new opportunities in the business.

Create a culture of compliance with employee training and focus on customers

It’s one thing to define and set up a security organisation and governance structure that ensures GDPR is followed. It’s another thing to get individual employees to understand what the regulation means to their work and how to act in their daily lives. Therefore, communication and training are important. But companies have not finished dressing their employees with sufficient and relevant knowledge about the processing of personal data.

Compliance with GDPR is not only about systems, processes and reporting, but also about culture and management. If everyone in the company feels that the senior management takes it seriously and understands that each person has a role to play, they are much more likely to succeed. Not only with GDPR - but with the whole business.

The companies that have understood their strategy and communicated the purpose of changes in processes and structures while internally clearing up their workflows are better equipped to meet customer needs and develop database business models. 

And if they remember that GDPR is not a one-off performance that ended last week, and continue to use their new knowledge to improve their way of accessing customers and changing and enhancing workflows, processes and structures, they are ready to let regulation give value.

 Tilda Huttunen van het Erve is a business design expert at PA Consulting Group.

The GDPR is a game-changer. Learn how PA is helping clients make the most of this opportunity.

Find out more

Contact the author

Contact the business design team


By using this website, you accept the use of cookies. For more information on how to manage cookies, please read our privacy policy.