two women looking at a huge globe

GDPR Compliance Requires Looking at the Big Customer Data Picture

6 minute read
Sonia Cheng avatar
Companies working to comply with the EU's General Data Protection Regulation should take an enterprisewide client-centric approach to data governance.

Imagine the impact an organization would feel if it was legally obligated to fulfill 200 complex and comprehensive data requests from clients across numerous countries and data sources every day. Operationalizing this at such a scale would seem impossible and would require a significant investment of additional staff, budget and time. 

Many organizations may believe they will never face this type of challenge. But conservative estimates of the impact that the European Union’s General Data Protection Regulation (GDPR) data subject rights will have on companies storing large volumes of private client data show us that this scenario is a very real prospect.

Individuals’ Data Rights

The GDPR states that individuals should have the right to access their personal data so that they are aware of and can verify the lawfulness of its processing. Companies must respond to requests within one month, leaving them little time to perform a task that they may not be equipped to handle.

The rights that the GDPR grants to individuals, or “data subjects,” include the following:

  • Right of access (article 15): EU residents may at any time obtain access to their personal data (to learn what it is, where it is stored and how it is processed) from any entity that houses this information.
  • Right of erasure/right to be forgotten (article 17): Individuals covered by the GDPR may at any time require an organization that stores their personal data to dispose of it and erase it from any and all information sources.
  • Right of data portability (article 20): Data subjects may require an organization to transmit their personal data directly from one controller to another, requiring a company to securely migrate everything containing information on a subject to another provider when processing was based on consent or a contract.
  • Right to restrict processing (article 18): Individuals have a right to “block” or suppress processing of personal data. When processing is restricted, an organization may store the user’s personal data but not further process it, and the organization may retain just enough information to ensure that the restriction is respected in the future.

Related Article: GDPR Isn't a Crisis for Email Marketers, It's an Opportunity

The Master Data Management Challenge

Independent of GDPR, many large organizations have implemented master data management or other multi-year data governance programs to obtain a single, cohesive view of their clients and the data they store on their behalf. These efforts are often part of know your customer (KYC) initiatives in industries that must protect against fraud and money laundering. But this can be very difficult to achieve in practice and requires much more than implementing a system. 

When clean data management processes are not in place, or within organizations that have grown by acquisition and are operating with many different systems and practices, compliance teams end up grappling with understanding and establishing organized customer profiles.

Many companies have purposefully designed their systems to operate independently because they do business in different jurisdictions under varying laws. But for, say, a bank with accounts in the U.K., Germany and the United States, it is frustrating when all the accounts aren’t connected or readily available across countries. If the bank had a single, holistic view of each individual client and all clients’ identities were mapped and managed through a standard process and connected systems, it would be much easier to provide quality service and fulfill data subjects’ access requests quickly.

Related Article: Are MarTech Vendors Prepared as GDPR Deadline Approaches?

A Client-Centric Approach to GDPR Compliance

The GDPR, and particularly the rights it grants to data subjects, provides an opportunity for corporations to take a client-centric approach to data governance. Even if a company has repeatable workflows, a sound privacy policy and reliable customer relationship management (CRM) systems, the customer experience and regulatory compliance will still suffer if the backend systems are in disarray and failing to communicate with each other.

Learning Opportunities

Here are a few steps organizations can take to implement a client-centric approach to GDPR compliance:

Shift to a client-first mindset: Focusing on data quality and master data management is an undertaking of enormous scope that can take years to complete. Many companies find themselves stuck in the data mapping stage and lose funding for the project because it is difficult to show results over such a long period of time. Focusing these projects first on client data, and conducting initial data mapping of just the customer databases, will make the prospect of completing the project much more realistic.

Consolidate data disposal: Cleaning out data from legacy systems and getting rid of information that is no longer needed will make data mapping and future data management less onerous. With a client-centric focus, companies can look at repositories where clients access data and deal with those first, moving on to legacy information after all client-related data stores are addressed. It is important to work with the legal team on this step in order to ensure that long-term defensibility is built into the data disposal program, and that legal and preservation obligations are adequately fulfilled.

Evaluate the data map through the client’s eyes: If a multinational company is creating (as it should) a data inventory as required under GDPR Article 30, the team should look at data flows through the lens of the client experience. This may require eventual changes across sales, development, marketing, customer services and other departments. Building on the data map with customer interaction as a priority can help improve processes and ensure that all lines of business are putting the client first.

Related Article: The GDPR Clock Is Ticking: Here's How to Get on the Road to Compliance

Create Cross-Functional Teams

We have seen many organizations make solid progress toward GDPR preparedness, but all too often they are tackling it in silos, with each silo worrying only about its own compliance. This is when the foundational best practice of creating cross-functional teams in information governance is so critical. An integrated cross-department approach enables the team to meet the entire organization’s needs with each project and demonstrate to company leaders that they understand the impact of their efforts on the company’s overall global objectives.

Working in a collaborative way across all regions and teams that touch client data, and prioritizing client relations in GDPR initiatives, will lead to greater success in achieving compliance as well as improving brand image and customer service.

About the author

Sonia Cheng

Sonia Cheng is a Senior Director within FTI’s Technology Consulting practice, currently leading the EMEA Information Governance & Compliance (IG&C) practice. She is a trusted advisor to some of the world’s largest financial services, insurance, pharmaceutical and energy firms.

T. Sean Kelly

T. Sean Kelly is a Senior Director within the Technology segment at FTI Consulting and is based in Philadelphia.

About CMSWire

For nearly two decades CMSWire, produced by Simpler Media Group, has been the world's leading community of customer experience professionals.


Today the CMSWire community consists of over 5 million influential customer experience, digital experience and customer service leaders, the majority of whom are based in North America and employed by medium to large organizations. Our sister community, Reworked gathers the world's leading employee experience and digital workplace professionals.

Join the Community

Get the CMSWire Mobile App

Download App Store
Download google play