The General Data Protection Regulation (GDPR) takes effect on 25th May 2018 and businesses across Europe and the world are racing to ensure compliance in time for the deadline. More than simply an administrative compliance, the regulation will bring with it dramatic changes to data protection laws and provide individuals with enhanced rights to data privacy. There has been much negative coverage and scaremongering surrounding the regulation but perhaps GDPR will in fact offer businesses an opportunity to reconnect a forgotten confidence with customers.
The GDPR concerns every EU citizen and every organisation within the EU or that deals with the EU and collects, processes and stores “personal” data. The term “personal data” relates to any piece of information that can directly or indirectly identify an individual. It can include name, date of birth, address details, photographs, email address, bank details, social networking accounts and IP address. It can also include ‘sensitive data’ including medical records, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. The list goes on…
Of course, if a business is to deliver a service to its customers, it must have the ability to identify them through the collection of relevant information. This is further necessitated when personalising the service to individual needs. The GDPR does not question this, but it does require us to clarify the rules and procedures put in place that will reduce the risk of identification of individuals and invasion of their privacy. Like any new regulatory obligation, the GDPR appears at first glance to be a constraint, particularly given the amount of sanctions foreseen in the event of a breach: up to 4% of the company’s global turnover or EUR 20 million.
But the GDPR also offers the opportunity to develop a new confidence pact with customers by enforcing transparency around purpose of data collection and storage. Online interactions are part of our daily lives and sharing our data on retail websites, social media networks and mailing lists is a normal activity but as it becomes the norm so too, it would appear, does our discomfort. A recent Wavestone survey conducted across six countries including China, France, Germany, Italy, United Kingdom and the United States, found that half of those surveyed believe that their information is used for purposes other than those they have approved. The survey also revealed that French consumers have the least faith in public and private organisations with 64% stating they did not trust organisations to protect their personal information
The importance of transparency
The official text of 27 April 2016, states that information on the processing of personal data under GDPR should be “easily accessible and easy to understand, and that clear and plain language be used” (Article 39). This goes a long way in helping individuals to exercise and understand their rights when it comes to data privacy. A 2017 YouGov survey surrounding GDPR and data security, revealed that 96 percent of those polled confessed to never reading all, if any, website terms and conditions, privacy policies and cookie consents. This is a clear indicator that privacy policies should be easier for consumers to access and understand. Privacy policies and terms and conditions presented on websites and social networks are often so indigestible that, even knowing the risks and with increased concern about the protection of our privacy, we still do not read them. We simply check the box!
Businesses should take advantage of the application of the GDPR, using it as an opportunity to rewrite privacy policies by thinking a little more about the people they are aimed at.
In France in May 2017 the Commission Nationale de l’Informatique et des Libertés (CNIL), inflicted a fine of 150,000 euros on Facebook for numerous breaches of computer law and current freedom in its management of personal data of users. Facebook was criticised for carrying out “massive combinations of personal data of Internet users for purposes of targeted advertising”, to which they “have not consented and cannot oppose”. It was also criticised for not collecting the express consent of Internet users when they provided sensitive data in their profiles, in particular their political opinions, religious beliefs or sexual orientation.
Consent must be explicit
Another important requirement under GDPR is that customers must be able to decide with knowledge, from a text that is clearly explained, what they are committing to and what a company will do with their data. The GDPR makes it easier for individuals to revoke their consents so the obligation doesn’t end once consent is granted. It can be revoked at any time. Consent can be granted for the use of data for a specific purpose and then revoked, only to be granted again for another purpose. In the event of a dispute, you must be able to prove that, at the time the data was used, you were fully entitled to use it for that purpose.
A time for change
As the 25th May approaches, businesses across the globe must ensure they are prepared for the change. The risk to image and reputation, as well as the financial penalties foreseen in cases of non-compliance, should encourage companies to focus on building knowledge of the regulation and ensuring compliance on time for the deadline. What is at stake for all organisations is the confidence of customers, knowing that if they agree to communicate personal data, they expect it to be managed respectfully. Organisations should use this opportunity to discard unnecessary legacy data, build better trust relationships with consumers while updating internal policies and procedures.
Guest Blog by Diabolocom founder and CEO, Frederic Durand
Diabolocom is a software publisher and telecommunications operator that offers an omnichannel cloud solution for sales, customer service, and contact centres.
Thanks to its speed of implementation, its intuitive interface that is fully integrated in the main CRM on the market, and local business support, Diabolocom allows companies to offer benchmark customer experiences and improve their operational performance. Diabolocom supports the digital transformation of more than 250 companies in 20 countries, including: ENI, Engie, Air Liquide, Smartbox, Coyote, Photobox, Wonderbox, Galeries Lafayette, Decathlon, Carrefour, AG2R La Mondiale, Bonduelle, Webhelp, Teleperformance etc.