On 25th May 2018, new rules and legislation concerning the collection, storage and processing of personal information relating to individuals in the European Union (EU), also known as General Data Protection Regulation (GDPR), will come into effect.
The GDPR is a legal framework setting guidelines for the collection and processing of personal information of individuals in the European Union. With GPDR there will be a focus on evidence-based compliance with specific requirements for transparency and harsh penalties for non-compliance. In fact, for companies who fail to comply, the consequences can be significant, resulting in up to €20m, or 4% of a company’s annual turnover—which when calculated at the group level for multinationals could add up to huge penalties.
The new GDPR regulations state that all customer data must have an audit trail and be time stamped, and that companies are required to document how contacts consented for their personal information to be saved. In addition, organisations are legally bound to honour their customers’ requests to erase their personal data or transfer their data from one system to another. Companies are recommended to routinely perform data protection impact assessments and have a designated data controller within the business who is responsible to notify customers and the Information Commissioner of any data breach within 72 hours of it being detected.
The first step for compliance is taking a full inventory of wherever customer data appears in your organisation.
Locating customer data presents several challenges. In addition to the CRM database, which is the obvious first place to look, one should consider that the data can and most likely will reside in other systems used for marketing automation and lead management. In addition, personal information can be stored as unstructured data in social media posts, emails, voice recordings and spreadsheets, to name a few.
Consider also that data can be located across different regions and offices, which may or may not use the same CRM systems. International data transfers will also need to be monitored for organisations where customer data is processed outside of the EU.
With the increasingly mobile workforce and the adoption of cloud infrastructures, data can even be found in places that it shouldn’t be, such as in third party cloud services, laptop devices, or even file shares in publicly available parts of a network. In short, it’s no small task to try to find every instance of customer data in your network.
There are several different tools that can help create an audit trail across the entire customer data ecosystem. Integration platforms however can provide the glue that’s needed to find and then integrate data from different vendors, locations, and devices. Low-code development environments enable employees who aren’t trained programmers to get involved with this integration process, which is even more essential as increasingly more and more departments and business functions within the organisation are the ones responsible for collecting, consuming, and analysing their data.
In addition to integrating systems to identify each instance of customer data, additional business processes involved with documenting a customer’s complicity with storing their data need to be put in place. All forms that capture customer data must be integrated fully with the back-end systems to ensure compliance by tracking every instance of where the data is shared and stored.
The entire process of lead generation also needs to be tracked. For example, contact creation through your CRM system will need to go through an ‘opt-in’ process rather than just be included automatically into marketing contact databases. The same applies for contact information collected at industry events and when you receive contacts from a third party.
These requirements also need to be enforced for channel partners. Does a partner have authority to share contact information with a manufacturer? If yes, the appropriate and proper procedures for opt-in needs to be followed and documented.
These rules also apply to previous and existing customers. All personal details have to be deleted. You can’t simply mark “do not contact” in your CRM database. The data needs to be erased in all systems where it appears.
The digital economy is built on the collection and exchange of data, including large amounts that consist of personal sensitive data. Moving ahead with innovation requires public confidence in the protection of this information. Complying with GPDR will require a business-led approach that looks at the whole business model and how these requirements come into play. With May right around the corner, it’s never too soon to begin finding all the sources of customer data, wherever that may be and starting your GDPR compliance journey.