Technologists, marketers and business leaders should be well aware of the upcoming regulation that will soon dramatically change the way organisations managing customer data operate. Which means, in effect, just about every organisation doing business in the European Union should be well on their way to at least minimum compliance, if not a full embrace of the new customer-centric mode of business that the General Data Protection Regulation (GDPR) represents.
Why? The regulation will be enforced from 25th May, 2018. In an ideal world, organisations will have made great strides towards understanding, compliance, and indeed, approval of the ways the EU is directing business of all types to collect, manage, govern (and even delete) customer data in a respectful and solicitous way. It should make for stronger customer relationships, with high quality customer data made available for business use by willing consumers.
Whilst it may be hard for those making great strides to compliance within the tech or marketing departments who are living through their GDPR readiness process, many organisational surveys show that lots of business decision makers are still unaware, overconfident, or ignorant of what the GDPR really means for their organisation.
For the technologists of the business, the picture need not be so unclear. It’s the IT team under the overall direction of the technology decision makers that must ensure that all data collection, processing, and management takes place in accordance with the new regulations.
There’s no need to go into great detail into those regulations here, as a veritable industry has grown up explaining GDPR, but a quick recap of the major points, and why it’s important to take it seriously include:
New & Improved Rights For Consumers
GDPR brings a number of new rights like the right to erasure (‘right to be forgotten’), or enhances others, like the ‘right to be informed’. These will put pressure on the business to deliver accurate and timely data searches and amendments in line with GDPR guidelines.
Data Protection Officer (DPO)
Businesses are required to appoint a DPO to assist in compliance with GDPR. The legislation tasks responsibilities to the role, and it’s needed whether the organisation is acting as a ‘processor’ or as a ‘controller’, where processing operations require monitoring of people on a large scale.
Enhanced Obligations On Data Processors
Under the old UK Data Protection Act (1998), the obligations were only on data controllers. Under GDPR, processors have obligations. They will be accountable for compliance beyond any contract terms, and in keeping data safe and secure. It’s vital that organisations know what their suppliers are doing.
Backed Up With Teeth
The regulation allows some hefty fines for non-compliance if a business is at fault and mismanages consumer data, or allows it to leak. These could be up to 4 per cent of the company annual revenue, or €20m – whichever is higher. Clearly, this is not something an organisation wants to contemplate.
‘Piggybacking’: What Does This Mean For Business Technology?
From the get-go, or first contact with a customer, everything about data collection changes. For most brands, this is the website. Right now, research shows that confusion still reigns around accountability for GDPR compliance. Businesses have a legal requirement to ensure clear communication of the processes and parameters for data use, across all digital channels regardless of who runs them. Yet despite this, 46 per cent of UK marketers believe their company isn’t responsible for data collection across all digital properties.
Given that a major part of the spirit and letter of GDPR is that informed consent must be provided before data may be collected and used, it becomes totally unacceptable that customer privacy is being flouted as a general part of using the web. This has to change for the 25th May, or else firms will be in breach of the regulation – even without using that customer data themselves!
Even companies wanting to comply need to be extremely careful to avoid collecting any personal consumer data prior to consent, because erasing data after the fact is not a feasible option. Unfortunately, the current marketing technology ecosystem which developed over the past decade was not designed to remove data.
Managing the required technology changes sooner will not only get the website ready for the May deadline, but it will go a long way to improving the overall user experience – and ensuring that customers aren’t confused by a sudden new look and consent options in May. The sooner communications begin, changes are signposted and explained, the sooner real trust is created. And whilst this is to a great extent a marketing and customer care department challenge, the technology platform is what everything relies on to function efficiently, effectively – and compliantly.
Only Tech Can Stop Data Leakage
As well as a blanket ban on the piggybacking of unauthorised tags (likely best controlled through real-time whitelist and blacklist control in the browser), ensuring enforcement of data collection consent over all tags and website functionality is key.
This can only be driven by personalised 1:1 privacy consent for all web visitors. The most elegant solution may be for most organisations to deliver customer consent overlays directly onto web pages. This gives visitors a positive experience with respect to consent communications – and simplified control over data collection by various marketing technologies. Given the global reach of the web, being able to easily customise privacy choices to match all local languages will be a crucial element that may play a big impact in the way customers respond to their new rights.
Only Tech Can Engender Trust
It comes down to the technology platform to create the brand trust consumers will become increasingly aware of as brands shoulder greater responsibilities in protecting personally identifiable information. Additionally, it falls to the tech team to manage the process of visitor audit trails, which must be made available upon regulatory request.
All sites will require a consent manager so that visitors may directly view, change and withdraw consent for various data uses at any time. These will need to be connected to all the different technologies and third party suppliers that manage the various web operations a site requires.
Indeed, connecting these elements of privacy, consent, company and third party data, and sharing them appropriately, will be fundamental to modern business success in 2018.
Ultimately, you are only as good as your data. GDPR will force businesses to reassess their relationship with customers and will create a whole new meaning to the ‘value exchange’, where consumers receive personalised, meaningful content and services, in return for transparent use of personal data.
It’s the tech team who are now on the front line, with the website the first engagement between the ideals of the GDPR, and the reality of customer interactions. But to pull this off they’ll need to work with the marketing team – because the great majority of tags on the website are there to service the marketing team’s needs.
It’s a chance to cross siloes and create a smooth process to get the whole company prepared for the changes ahead.