GDPR, how to become a Trusted brand?
03 May 2018
On May 25th, the new General Data Protection Regulation (GDPR) comes into force, which implies the commissioning of a secure European common space for the adequate treatment of personal and sensitive data. One of the objectives of this new regulation is to organize the treatment and protection of data on which organizations currently base their business.
In an environment in which the user is increasingly demanding and better informed, the loss of reputation and trust in a brand, can be equally decisive for organizations; economic sanctions associated with the breach of the rule will oscillate between € 20 million or 4% of the annual turnover of the previous year.
The GDPR was approved today, two years ago. Since then, a lot has been said and written on the subject. Nonetheless, it seems that a large part of European organizations are still not ready. Thus, in a report published by the IDC analyst a few months ago, it was said that most of the Spanish companies were still starting their journey towards the new regulatory framework, and that 65% of the organizations did not have a clear strategy for compliance. For its part, Forrester says that only 26% of European companies claim to comply with the standard.
WHERE TO BEGIN?
GDPR affects, directly or indirectly, all the departments of a company, from Technology to Human Resources, going through Marketing, Operations, Digital… so it is normal to feel a bit overwhelmed.
First of all, there should be no panic. In the case of Spanish companies, the Organic Law on Data Protection (LOPD, due to its Spanish name) is already complied with, which is a good starting point. Afterwards, with some concepts, good planning, and adequate execution plans, adapting the processes to the regulations will not be so traumatic. The important thing is, as with everything, to start by taking the first step.
In this sense, the most advisable thing is to begin with an assessment process in which the impact that the new regulation will have on people, business, and technology is determined. According to its results, a road map must be designed that addresses the critical points detected and that allows complying with the GDPR with guarantees in the shortest time possible. Those steps should already be in place. And being optimistic, I think that’s the way it is.
Now, more specifically, and depending on the reality of each organization, these would be some fundamental milestones on the way to an orderly adoption of the new regulations:
Legal Scope. Impact Evaluation in the Protection of Personal Data (EIPD/PIA).
Digital Scope. Friendly user experience, accessible, and clear capture of data.
Security Scope. From the development of applications to the activity of employees.
Government and Data Quality Scope. Appropriate processing, storage, and insurance.
According to this model, the first step will be in charge of the legal department of the company, through an Impact Assessment on the Protection of Personal Data (EIPD/PIA). This exercise consists, according to the Spanish Agency for Data Protection, of an analysis of the risks that a given information, product, or service system may entail with respect to the fundamental right to protect the information of those affected, as well as to the management of said risks through adopting necessary measures to eliminate or mitigate them.
Different experts point out the importance of carrying out this exercise in the initial stages of the design of a new information system, like this, they will be able to identify possible risks and correct them in advance, something that accompanies a clear cost saving. Likewise, an EIPD/PIA becomes the basis on which a relationship of trust and transparency with customers is built.
Secondly, from the Digital scope, it is necessary to work with and offer audiences that interact with the company through the different channels available to them – social media, web, mobile, voice… – a friendly and accessible User Experience (UX), that facilitates data collection, acceptance, and management of consents, as much as possible.
BE TRANSPARENT MY FRIEND… BE TRANSPARENT
Transparency has become a key factor for brand reputation. If a user does not see clearly the terms and conditions that the organization proposes when requesting data, surely, he or she will not accept them, which will be a lost business opportunity. In this sense, the implementation of a portal for the exercise of rights in terms of treatment and use of data is a good option to promote this transparency. Providing users, customers and/or citizens with control over their personal data will make a brand more reliable.
The next step is marked by security, this step involves everyone from the developers of the applications to the last employee of the company. If a programmer uses an unsecure code in the development of an application, it is possible that cybercriminals will have an easier time entering the systems of the company through software vulnerabilities. On the other extreme, if an employee is not aware of the importance of maintaining basic security practices in his or her daily activities, they will surely be opening an access door to corporate networks and thus compromising the data they contain.
Finally, data is the heart of current organizations, but data comes in multiple formats and from multiple sources. Also, the amount of data that is generated every minute grows exponentially. It is necessary to treat them, store them, and guarantee their correct safety. The quality of data is another key factor in compliance with the GDPR.
OBLIGATIONS AND OPPORTUNITIES
GDPR new opportunities, new obligations of the European Commission explain everything that companies should know about the General Data Protection Regulation and the great business possibilities it offers.
It is clear that the implementation of the GDPR involves many obligations for companies – both public and private ones – especially in what has to do with the enforcement of a new code of conduct and, as we said before, with greater transparency and efficiency in the management of the data. In fact, the obligation to report any security breach in less than 72 hours gives us an idea of the exhaustive registry and control to which companies must submit the processing of their data.
However, the new “state of the art” services that the GDPR will bring will also promote a new model of proactive responsibility and guarantee the updating and, above all, the quality of the data, which, in turn, will be a great opportunity to improve its management. Speaking of opportunities, these are some of the most relevant:
Better understanding – by companies – of the value of their data. This will allow the creation of trustworthy liaisons with clients and/or citizens for those who may even personalize the type of message or communication based on their preferences, tastes, or needs, which also represents a greater empowerment of the client/citizen with everything that it entails.
Protection as a brand purpose. The perception of a sensitive company with such delicate aspects, such as the protection of personal data, already provides an image of guarantee and responsibility regarding privacy, which is very positive for brands. GDPR will encourage companies to use the privacy and security of their information – from an ethical point of view – as a brand purpose and users will respond positively to this exercise of commitment and transparency.
Safer business processes = proposals for more efficient solutions. This is the principle with which organizations will begin to become familiar to drive positive change. Explain transparently how personal data are used, why, at what time they can or should be deleted, who has access to information, who is responsible for ensuring the security of the data, …, implies a thorough review of business processes, but will also generate greater confidence within the organization that will be projected on its value proposals abroad.
Nobody said it was simple, but it is not impossible either. It is more a question of mentalization, of changing cultures, of adopting a series of good practices and identifying the tools available in the market that are capable of solving many of the challenges we now face with the entry into force of the GDPR. The prize – to become a trusted brand, a reference for our users – is worth it.