private sign over a mailbox
Here are the basics to get you started on your path to GDPR compliance PHOTO: Dayne Topkin

In May 2018, the European Union will introduce yet another regulation that will require global businesses to adhere to new compliance behaviors. But the new mandate, known as the General Data Protection Regulation (GDPR), isn’t your standard check-the-box compliance project. It will fundamentally change how businesses operate and engage with their customers.

Shifting Data Ownership Back to Individuals

Until now, the data that businesses held on their customers had largely been regarded as corporate property — and in some cases, it was considered an actual corporate asset. Under the new GDPR legislation, everything is about to change. The personal data that enterprises hold will in effect be considered the property of each individual. 

And with this comes a whole new set of individual rights. Customers will have ultimate control over how, when and where their personal data can be used — and they can challenge a business regarding this at any time. In essence, businesses will not really own their marketing databases anymore.

With these new rights, customers are empowered to not only see their data but also know exactly how it’s being used and for what purposes. Businesses will have no choice but to provide that information on demand. And this affects not only primary data like name, address and phone number, but all other personal data a business may have — including data that it may have acquired from third-party sources

Needless to say, when it comes to personal level data, GDPR is all-encompassing.

A Regulation With Teeth

What's more, GDPR doesn’t just apply to European companies. It affects every business, anywhere in the world, that possesses an EU resident’s personal data. In a PwC survey of 200 U.S. C-suite executives and general counsels, 92 percent of the respondents said they now consider GDPR compliance to be a top priority, but only 71 percent said their organizations had started preparing their systems and business processes to handle potential GDPR-related data requests. 

Additionally, Gartner predicts that less than 50 percent of companies will be ready to comply with GDPR mandates when the law goes into effect on May 25.

As the GDPR deadline closes in, business are under the gun to put the right systems and processes in place to ensure that they are fully compliant. If they aren’t compliant, they could face heavy repercussions, including fines of up to four percent of global revenue.

A Starting Point for GDPR Compliance

No one is sure right now how stringent regulators will be in enforcing the letter of the law, but with potentially millions on the line, few can afford to wait and find out. Businesses must start preparing for this new world order today. The following steps can help businesses ensure that they are creating and implementing a successful GDPR strategy:

  1. Document current and future state: This will allow businesses to produce the evidence that is required by the legislation, as well as uncover any potential gaps in processes and technology.
  2. Understand where personal data resides: Businesses will need to find ways to identify where this data is held, anywhere across the enterprise. Consider that, for the longest time, businesses have sought to create ever-elusive 360-degree views of their customers. Now they must be able to assemble that 360-degree view and give it to the customer.
  3. Establish new processes for each GDPR mandate: To begin with, this will likely be a mix of manual and automated process that must work together. And meanwhile, any process for customer consent that involves manual steps will expose the business to a potential risk in compliance. Therefore, processes should be dynamic and be able to adjust to the nuances of each request. This will often mean integrating with older systems that may not even have APIs.
  4. Enact protections for customer data: Safeguards must be put in place to proactively protect personal data. This will involve encryption, de-identifiction and pseudonymization of data. Additionally, businesses need to beware of putting data into multitenant clouds that can create compliance headaches.
  5. Create a system of notifications: Communication will need to be automated and orchestrated across all parties, including the data subject, the controller, the processor and the regulator — with both proactive and reactive processes, including the assembly of dynamic content.
  6. Achieve transparency in automated decisions: For organizations using artificial intelligence (AI) to drive certain actions with customers, opaque models present a major risk in that it’s nearly impossible to understand the logic behind them. Where impacted, these opaque techniques must be locked down and replaced by transparent AI that can fully explain the decisions it makes.
  7. Maintain a comprehensive audit trail: Businesses must track all actions and related issues, including when the data was captured, for what purpose, under which terms and whether consent was granted. They even have to keep records of the decisions they made using that data.

With so many things to consider, it’s not a question of if businesses will have a system to manage GDPR compliance; it’s whether they will have a system to manage the systems that they will need to manage compliance.

And, of course, all of this takes time. Every impacted business needs to start planning its GDPR strategy before it’s too late. How is your organization tackling GDPR readiness?

In part two, we will discuss how GDPR is much more than just the compliance issues outlined above. These are just the basics. GDPR’s impact goes well beyond matters of risk — it will have a very real impact on revenue.