two women looking at a huge globe
PHOTO: Franck Veschi

Imagine the impact an organization would feel if it was legally obligated to fulfill 200 complex and comprehensive data requests from clients across numerous countries and data sources every day. Operationalizing this at such a scale would seem impossible and would require a significant investment of additional staff, budget and time. 

Many organizations may believe they will never face this type of challenge. But conservative estimates of the impact that the European Union’s General Data Protection Regulation (GDPR) data subject rights will have on companies storing large volumes of private client data show us that this scenario is a very real prospect.

Individuals’ Data Rights

The GDPR states that individuals should have the right to access their personal data so that they are aware of and can verify the lawfulness of its processing. Companies must respond to requests within one month, leaving them little time to perform a task that they may not be equipped to handle.

The rights that the GDPR grants to individuals, or “data subjects,” include the following:

  • Right of access (article 15): EU residents may at any time obtain access to their personal data (to learn what it is, where it is stored and how it is processed) from any entity that houses this information.
  • Right of erasure/right to be forgotten (article 17): Individuals covered by the GDPR may at any time require an organization that stores their personal data to dispose of it and erase it from any and all information sources.
  • Right of data portability (article 20): Data subjects may require an organization to transmit their personal data directly from one controller to another, requiring a company to securely migrate everything containing information on a subject to another provider when processing was based on consent or a contract.
  • Right to restrict processing (article 18): Individuals have a right to “block” or suppress processing of personal data. When processing is restricted, an organization may store the user’s personal data but not further process it, and the organization may retain just enough information to ensure that the restriction is respected in the future.

Related Article: GDPR Isn't a Crisis for Email Marketers, It's an Opportunity

The Master Data Management Challenge

Independent of GDPR, many large organizations have implemented master data management or other multi-year data governance programs to obtain a single, cohesive view of their clients and the data they store on their behalf. These efforts are often part of know your customer (KYC) initiatives in industries that must protect against fraud and money laundering. But this can be very difficult to achieve in practice and requires much more than implementing a system. 

When clean data management processes are not in place, or within organizations that have grown by acquisition and are operating with many different systems and practices, compliance teams end up grappling with understanding and establishing organized customer profiles.

Many companies have purposefully designed their systems to operate independently because they do business in different jurisdictions under varying laws. But for, say, a bank with accounts in the U.K., Germany and the United States, it is frustrating when all the accounts aren’t connected or readily available across countries. If the bank had a single, holistic view of each individual client and all clients’ identities were mapped and managed through a standard process and connected systems, it would be much easier to provide quality service and fulfill data subjects’ access requests quickly.

Related Article: Are MarTech Vendors Prepared as GDPR Deadline Approaches?

A Client-Centric Approach to GDPR Compliance

The GDPR, and particularly the rights it grants to data subjects, provides an opportunity for corporations to take a client-centric approach to data governance. Even if a company has repeatable workflows, a sound privacy policy and reliable customer relationship management (CRM) systems, the customer experience and regulatory compliance will still suffer if the backend systems are in disarray and failing to communicate with each other.

Here are a few steps organizations can take to implement a client-centric approach to GDPR compliance:

Shift to a client-first mindset: Focusing on data quality and master data management is an undertaking of enormous scope that can take years to complete. Many companies find themselves stuck in the data mapping stage and lose funding for the project because it is difficult to show results over such a long period of time. Focusing these projects first on client data, and conducting initial data mapping of just the customer databases, will make the prospect of completing the project much more realistic.

Consolidate data disposal: Cleaning out data from legacy systems and getting rid of information that is no longer needed will make data mapping and future data management less onerous. With a client-centric focus, companies can look at repositories where clients access data and deal with those first, moving on to legacy information after all client-related data stores are addressed. It is important to work with the legal team on this step in order to ensure that long-term defensibility is built into the data disposal program, and that legal and preservation obligations are adequately fulfilled.

Evaluate the data map through the client’s eyes: If a multinational company is creating (as it should) a data inventory as required under GDPR Article 30, the team should look at data flows through the lens of the client experience. This may require eventual changes across sales, development, marketing, customer services and other departments. Building on the data map with customer interaction as a priority can help improve processes and ensure that all lines of business are putting the client first.

Related Article: The GDPR Clock Is Ticking: Here's How to Get on the Road to Compliance

Create Cross-Functional Teams

We have seen many organizations make solid progress toward GDPR preparedness, but all too often they are tackling it in silos, with each silo worrying only about its own compliance. This is when the foundational best practice of creating cross-functional teams in information governance is so critical. An integrated cross-department approach enables the team to meet the entire organization’s needs with each project and demonstrate to company leaders that they understand the impact of their efforts on the company’s overall global objectives.

Working in a collaborative way across all regions and teams that touch client data, and prioritizing client relations in GDPR initiatives, will lead to greater success in achieving compliance as well as improving brand image and customer service.