…and why you may need to be compliant before 25th May 2018!
25th May 2018, and General Data Protection Regulation (GDPR) will be law. Irrespective of our relationship with Europe now, or in the future, companies will need to abide by it if they hold data relating to an EU citizen. This is one of the key differences between GDPR and the 1998 Data Protection Act, and is likely to be a theme with other global data regulation.
This article indicates some of the new elements of that GDPR contains to aid general direction finding. There will be processes to implement, same as any regulation, but also a few areas that may require closer consideration. We will look at 5 areas worthy of consideration and suggest 5 things for which implementing GDPR could be helpful.
Finding your direction : the GDPR Compass
5 Key considerations
1. Personalising your services
I am calling this out because there is such a strong trend in this area, particularly in the world of B2C commerce. However this may also apply for small businesses, where the identity of the person is almost interchangeable with the identity of the business.
- Your approach to big data, personalisation and profiling (and pricing) based on people’s data and technical elements such as IP address or MAC address, may need to be reviewed. At the very least you will need to be clear with people what you are doing, requesting their specific permission to do it. This would apply to online interactions as well as offline, for example through any in-store interactions with people’s phones, mobile apps, etc.
- Need to be able to provide clear logic, mathematical evidence for the personalisation (maybe, particularly, if there are pricing implications or changes to the actual services provided) and fully secure the data involved in the personalisation alogorithms.
- This would include the way in which external data sets (e.g. Facebook) are used.
- As above, explicit permission (i.e. I want this) will be required rather than implicit (i.e. you didn’t say you didn’t want it), or its implied because you came into our store.
2. Review how you use and create ‘anonymous data’
Anonymisation or ‘pseudonymisation’ (the process of replacing key information such as names) becomes insufficient if the owner (or small group) of owners can be reasonably inferred. This includes when the data is matched with other data you hold, or that is available publicly, or is “public knowledge”.
3. Consider your strategy and architecture for the hosting and processing of data
The law is based on where the individual lives, not the jurisdiction your company operated under or where your data resides, which is the assumption under the data protection act.
This is likely to be the trend with global data law. If you have customers globally you need to comply with GDPR, plus US state legislation, etc, etc.,. So you may have to consider different rules within your data set depending on whose data it is, and applying the segmentation that appropriate law defines (e.g. definitions and controls of children’s data/processing).
This has the potential to change your cloud hosting strategy, your database architecture and software architecture.
4. Some elements could be a challenge
GDPR follows legislation such as PCI v3 to essentially mandate a responsibility to audit your suppliers to ensure they are compliant.
Plus: immediately cease processing on request and ensure all data is up to date. This will require updates to supplier contracts and responsive systems to handle these processes, and as you know those types of interfaces (whether IT based or not) can take time to set up and test.
Some data sets may relate to more than one person, and there may be some complication in handling elements such as explicit permission or requests to cease in these circumstances.
In relation to point 3 above, the number of different systems you have, how you store the data within them and the degree to which they are linked (or not) may raise some challenges, particularly around keeping data up to date and requirements to cease processing.
5. ….and here is why you may need to be compliant before 25th May 2018
Think about how you are going to ‘cut-over’ from existing data protection law to GDPR. This will be particularly relevant for B2C organisations and their communication, marketing and personalisation activities, specifically the process of gaining explicit consent so you can continue, where previously you may have relied on implied consent .
It means that your date for implementing new compliant processes is sooner that 25th May 2018, to allow for those transition activities.
5 Things implementing GDPR might help you with (other than avoiding large fines for breaches)
Note: This is written with companies that own and hold personal data. There may be further commercial opportunities for companies that act as data processors or provide equipment and services where a particular approach around GDPR may provide competitive advantage.
1. Grow your business by understanding your data
GDPR requires you to understand the data you hold. A review of this, and consideration of what you do and don’t need, should highlight the potential value of the data to your organisation. How could you use this data to better understand or grow your business?
2. Take a customer-oriented view of your data
If you are asking your customers (or potential customers) for permission to use (process their data), then it should be in the customer interest. How can you improve how you use their data to add value to their lives and the services you provide?
3. Ensure the quality of your data
The old maxim garbage-in-garbage-out applies. This legislative may help in promoting the need for accurate customer data to those in your organisation, whish in turn should improve the quality of the data you use to provide insight, transact and grow your business.
4. Understand the controls and security that apply to your customer’s data
Trust is such a key component of your brand value – GDPR may be helpful in reviewing your arrangements, but also those of your suppliers and partners, to protect you against being the next data-security news story. You will need to consider security as part of your implementation and this may be helpful in getting this on the agenda or setting the pace.
5. It may bring a better understanding about the data architecture in your business
Sometimes it can be difficult for IT to articulate to non-IT people the implications of having a large number of specialist, “siloed” systems. The process of implementing GDPR may help to better understand that and draw out some helpful discussions about your application strategy.
I hope this article is helpful and raises some useful points for you. Its not intended to be an exhaustive review of GDPR and its impact on your organisation, more to give some general pointers.
Feel free to contact me if you would like to discuss the points in more detail or if it raises some challenges in your organisation.
Thanks for reading,
Who are Qualocity and why are they interested in this?
Qualocity (Direction + Pace + Quality) increases the effectiveness of your change and systems development portfolio, providing interim accountability for delivery and empowering your organisation to leave a lasting improvement. Find out more here…
What is the relevance of this to what Qualocity does?
Understanding the environment and legislation that “change” is being applied to, and systems operate in, is important in ensuring a quality outcome, i.e. one that suits the intended purpose
A bit about Stuart, Qualocity Founding Director
Stuart is experienced in senior IT leadership within regulated environments to director-level with a long track record of building capability and practice to deliver transformational change, both within the business and the IT team. Technically astute, he draws on a wealth of experience and understanding across all areas of IT, engaging with senior business leaders and technical experts, to deliver a quality outcome.
ILM qualified, he uses coaching techniques to enrich and empower your IT team to leave a lasting improvement.
He is particularly familiar with front-end digital and contact-centre systems that facilitate the customer journey and relationship, and end-to-end process-driven systems such as case-management and ERP, to achieve digital fulfilment.
He has also held Data Protection Officer responsibilities, implemented Freedom Of Information, been accountable for IT system compliance with regulations such as FCA, PCI-DSS (Payment Card Industry Data Security Standard), etc.,. He has a track record in contract negotiations and engaging with audit activities.