It’s official. It’s May 25, “G-Day.” Cutting through all the hype and confusion over the past two years, the E.U.’s General Data Protection Regulation (GDPR) is now in effect and all the world is waiting to see what comes next.
No, the world didn’t stop turning. Businesses didn’t all crumble to the ground. But already, within hours of the legislation going into effect, complaints have been filed against Facebook, Google, Instagram and WhatsApp. And everyone is now wondering, who will be next? If upheld, the fines could be significant, up to four percent of global revenue, or 20 million euros (whichever is greater), as permitted by the legislation.
GDPR Is Here: What Comes Next?
So what does this likely mean for your own business? First, take this seriously. Racing to this date, your organization has hopefully been readying your plan for how you will deal with individuals’ (“data subjects” according to the legislation) requests to exercise their rights. You should have long ago conducted your data protection impact assessment, and you should have your Data Protection Officer in place, ready for what's next.
The key to remember for most businesses is that today should be largely regarded not as the finish line, but the starting line. When it comes to dealing with each data subject’s request, you should have your plan in place, with that plan completely documented. This means knowing precisely where your data lives, and knowing the exact process you will use to assemble it and tend to it, as each consumer exercises their rights — even if initially, some of those processes may be somewhat manual in nature.
The GDPR compliance challenge for most businesses will not come from their general “take it or leave it” terms, as commonly used by megabrands such as Facebook, Google, Instagram and WhatsApp. Instead, it will likely come from the actual mechanics of dealing with the onslaught of GDPR data subject requests themselves, as they seek to exercise their individual rights to access, erasure, restriction and others.
One of the most common questions we have been fielding in this respect over the past year is, “what volume should we plan for?” Remember you will only have one month to respond to each request, and the problem is that manual processes simply don’t scale. So the volume you need to plan for is not the initial volume, or even the average volume — but the maximum potential volume. Every business should quickly consider how high the top end of that range might be and ensure those volumes can be achieved if observed.
Related Article: All That GDPR Spam? In Many Cases It's Unnecessary
Two Elements of a Long-Term GDPR Strategy
While there are many aspects businesses will want to consider in their long-term GDPR strategy, here are two key things that every organization should do next:
How do you plan to deal with the highest of your GDPR volume? By moving as quickly as possible to technologies such as dynamic case management as the foundation for orchestrating your compliance process. This approach allows your business to ensure the process is orchestrated from end-to-end across teams and functions. It also enables rapid automation to remove manual processes — both where APIs exist into your data and systems, and even where they don’t.
Powerful new technologies such as robotic automation have completely changed things by providing a new forms of integration, even across “old school” legacy systems and home-grown applications. And they are now more cost effective than ever.
Organize for Omnichannel
Clarifications recently issued from the Information Commissioner’s Office (ICO) stated that it is not enough to just accept access requests via just your call center or via your website, as many had been hoping. Specifically, their latest guidance stated, "an individual can make a subject access request to you verbally or in writing. It can also be made to any part of your organization (including by social media) and does not have to be to a specific person or contact point.” This means your business needs to quickly ready, not one or two, but all of your customer touchpoints for the acceptance of these requests. You’ll need to prepare all of your customer-facing functions, including customer service, sales and beyond. And don’t forget the older and more traditional channels such as email. Thankfully, new advances such as intelligent virtual assistants can actually now open customer emails, understand their intent, and automate that process as well.
Indeed, G-Day is here and there is no turning back. While there will be many actions you will need to take over the next months and years to close all your GDPR gaps, the best thing you can do is to be proactive. As you plan the next phase of your GDPR journey, think of how to proactively build trust and foster a better relationship with your customers. This will be key to succeeding in the new era of GDPR.