The General Data Protection Regulation (GDPR) takes effect on 25th May 2018 and businesses around Europe are racing to ensure compliance in time for the deadline. But beyond an administrative compliance, the regulation will make it possible to reconnect a forgotten confidence with customers.
The GDPR concerns every organisation that collects, processes and stores "personal" data – a term that encompasses much more data than many expect... personal data is not only the name data of your client files but any information that can directly or indirectly identify a person including name, address, photographs, email address, bank details, social networking accounts, medical information, and IP address.
Of course, as part of your business, you need to be able to identify your customers and personalise their customer journey through collection of relevant information. The GDPR does not question this, but it requires you to clarify the rules and procedures put in place to reduce the risk of identification of individuals and invasion of their privacy, from the data you store. Like any new regulatory obligation, the GDPR appears at first glance to be a constraint – particularly given the amount of sanctions foreseen in the event of a breach: up to 4% of the company's global turnover or EUR 20 million. This is serious stuff!
But the GDPR also gives you the opportunity to develop a new confidence pact with your customers by being transparent about what you do with their data – a concept they are far from indifferent to. A recent Wavestone survey conducted across six countries including China, France, Germany, Italy, United Kingdom and the United States, found that half of those surveyed believe that their information is used for other purposes than those they have approved. The survey also revealed that French consumers have the least faith in public and private organisations with 64% stating they did not trust organisations to protect their personal information.
Customer Information: Make it clear, precise and to the point
The principle of transparency advocated by the GDPR as per the official text of 27 April 2016, states that information on the processing of personal data should be “easily accessible and easy to understand, and that clear and plain language be used” (Article 39). This is not really new but, when you think about privacy policies of most websites – or, worse, social networks... – it is not unreasonable to insist on clarity and intelligibility, and most of us would also gladly add brevity. Often the current information documents, written by legal departments, are so indigestible that, even knowing the risks and with increased concern about the protection of our privacy, we still do not read them. As consumers, we simply check the box confirming that we have seen them.
The best idea is to take advantage of the application of the GDPR, using it as an opportunity to rewrite your privacy policies by thinking a little more about the customers who are going to have to (or are supposed to) read them. This is all the more important since you will now have to collect their explicit consent (or refusal) on the uses and purpose of the data you wish to collect.
This will disturb the opacity habits of more than one Internet giant and other data brokers. In France in May 2017 the Commission nationale de l'informatique et des libertés (CNIL), inflicted a fine of 150, 000 euros on Facebook for numerous breaches of computer law and current freedom in its management of personal data of users. The sanction was certainly derisory for a company like Facebook, but the motives were interesting: Facebook was criticized for carrying out “massive combinations of personal data of Internet users for purposes of targeted advertising", to which they "have not consented and cannot oppose ". It was also criticized for not collecting the express consent of Internet users when they provided sensitive data in their profiles, in particular their political opinions, religious beliefs or sexual orientation.
It took the scandal of the data collected by Cambridge Analytica and the hearing of Marc Zuckerberg at the American Congress for the social network giant to finally announce its compliance with the European regulation.
Customer Consent: Get it and prove it
Your customers need to be able to decide with knowledge, from a text that is clearly explained, what they are committing to and what your company will do with their data. It goes without saying that the obligation to inform does not cover the same thing in every sector. It will of course vary depending on whether you are a health institution, a bank, a retailer specialized in textiles or an energy supplier... But in all cases, to be lawful, your personal data processing must now be based on the consent of each person concerned. The CNIL states, with respect to the new provisions of the GDPR, that " consent must be unambiguous" and that "the burden of proof of consent rests with the person in charge of the treatment" (your company or your providers).
It's not as simple as it seems because each of your customers can change their mind: Consent is given for a time to use their data, then revoked, and then given again for a new purchase or project. In the event of a dispute, you must be able to prove that, at the time you used the data, you were fully entitled to it for that purpose.
Are you ready?
Citizens and consumers are taking the protection of their personal data and privacy much more seriously. The GDPR gives them more rights and more controllable options. The whole question is whether businesses are going to be ready in time, knowing that the implications of the new regulation are obviously not limited to the two points we have just talked about.
According to a NETAPP study conducted with 1106 executives and IT decision makers, 67% of those interviewed stated that they believed they would not be ready for the May deadline.
As the 25th May approaches, global companies are well aware of the impact of non-compliance with GDPR, and 51% of those surveyed, believe that this could undermine their reputation should a breach occur.
The risk to image and reputation, as well as the financial penalties foreseen in cases of non-compliance with the provisions of the GDPR, should encourage companies to accelerate their compliance. What is at stake for all organisations is the confidence of their customers, knowing that if they agree to communicate personal data, they expect in return an improvement in services rendered, more personalisation, or even financial benefits. Companies, who have long taken advantage of the asymmetry of information on personal data, will have to (re) learn the good old principles of "giving-giving".