Four old defense cannons set up to protect a house.
Is your organization ready to protect customer personal data? PHOTO: ainudil

The UK government recently revealed its proposed Data Protection Bill. This legislation provides final — and welcome — confirmation that the country will, for almost all intents and purposes, be adhering to the forthcoming, EU-wide General Data Protection Regulation (GDPR).

Both the GDPR and the UK Data Protection Bill (PDF) will make significant changes to how organizations collect, process and use individuals’ personal data. 

When those GDPR changes are introduced on May 25, 2018, the legislation will require consent for marketing to be more explicit. European citizens will have far more control over how their data is used and what they agree to, as well as rights that will make it simpler to access their personal data.

Levying Much Stiffer Fines 

However, before those outside of Europe start wiping their brows in relief that they won’t have to reassess many of their marketing practices, be warned: these two data protection laws are applicable to any business that handles the personal data of EU (and UK, post-Brexit) customers. 

So, if you have a worldwide customer base and do not want to run afoul of fines that can run as high as €20 million ($23 million) or 4 percent of global turnover (whichever is greater), you’ll want to invest the time to understand chapter and verse of these new laws. 

Let’s look at Google for perspective: Its (admittedly enormous) global turnover would translate to a fine of roughly $3.5 billion for transgressing the new legislation.

Data Discovery and What It Entails 

GDPR will make it easier for individuals to ask an organization to disclose all the personal data it holds on them. These Data Subject Access Requests (SARs) entitle individuals to discover several things: the reason their data is being processed, all the personal data an organization holds on them, anyone who has (or ever will) receive their personal data and details regarding the origin of their data if the organization did not collect it.

Not only must a SAR be processed free in most instances, organizations are also obliged to respond to a written SAR request within 30 days. 

What’s more, if a SAR request reveals that an individual’s personal data has been misused, that individual is entitled to claim compensation if the misusage has caused damage or distress. 

Note that if your customer database runs into the millions and the same issue applies to everyone in it, the cost to your organization could be astronomical. 

Evaluate Current Approach to Data Collection 

It raises several questions that companies around the world should start considering: Do you know how to respond to a SAR? Does your staff have the training to deal with and process a SAR request? How efficiently can you collate the data required — before the deadline and at scale?

These questions, among others, mean taking a close look at your current approach to data collection and governance. 

For example, say your organization is collecting data with a data warehouse solution. While cloud-based data warehouses often ensure that data is highly secure and encrypted (which helps to minimize the risk of hacks or data breaches, another big GDPR problem), they do have their drawbacks.

Complying With Data Subject Access Requests

Not only could data residing within a data warehouse be kept for an indeterminate amount of time, it is also likely to be unstructured and unmatched. As you can imagine, data that is not kept up-to-date is more likely to be non-compliant. Information that is unstructured and unmatched also makes personal data hard to find — and even harder to link to individual customers.

This issue is compounded further for the many businesses with a proliferation of disconnected data silos. Here, issues of duplicates, errors and disjointed data sources quickly magnify. 

So, not only do you have to fear punitive damage and the threat of large-scale compensation payouts, you also need to consider the labor costs associated with stitching together the scattered pieces of personal data you hold on an individual, all on a tight timetable.

The Clock Is Ticking 

Yet even despite this, the results of a new survey conducted by professional IT network Spiceworks found that just 28 percent of EU organizations have begun GDPR preparations and mere 5 percent have in the US. Time is running out to take action.

When it comes to general GDPR readiness, a first step would be to undertake an assessment to identify where you are now and any marketing practices that need to be changed. This will include how you seek consent for marketing, if you are currently processing personal data legitimately and identifying ways of ensuring that your terms and conditions are easy to locate and easy to understand.

CDPs Create One Solution 

For Data Subject Access Requests, issues that involve compliance (such as customer preferences) and unifying data into a single source of truth, marketers should consider customer data platforms (CDPs) as an elegant solution. 

Such technology is gaining an increasing amount of attention in the world of marketing, not least for its ability to create a single customer view that de-duplicates, matches and merges disparate data sources into a single, structured database. 

Not only is this useful for marketing strategies like personalization and targeted campaigns, it also ensures that all of your marketing data can be readily extracted as a comprehensive record.

Fortune Favors the Prepared Mind 

For those who have yet to acknowledge the magnitude of these new data protection laws and the implications of SARs, there is plenty to put into action, wherever in the world you may be. We are entering an evolutionary phase in the relationship between brands and consumers where trust, transparency and privacy will be the watchwords. 

And, like any evolution, only those who adapt that will survive.