In less than 1 year the General Data Protection Regulation (GDPR) will be enforced. If you haven’t heard by now; the GDPR will fundamentally change the way that companies capture, manage and store information of EU Citizens. The primary aim of the regulation is to protect EU Citizen’s right to privacy, give them back control over their personal data, unify privacy regulations across the European Union and increase data trust and confidence in this digital age.
However, despite the potential fines of 4% of global turnover starting in less than year – 25 May 2018 – research indicates that many organizations are behind schedule for compliance. Recent analysis from Oliver Wyman indicates the FTSE 100 companies could face fines of up to £5 billion a year. Had GDPR been in place for the past five years, the consultancy’s analysis shows that FTSE 100 companies could owe up to £25 billion in fines to EU regulators. To put that into perspective, if we thought the recent £400k TalkTalk fine was big – that would have been £59million under GDPR. UK ICO Elizabeth Denham has warned businesses that regulators will be vigilant, and will be looking at “Accountability and data governance… not just investigating data security incidents.” What does this mean? Under GDPR a business must not just be compliant, they must demonstrate and be able to proactively prove compliance.
A recent survey from the Direct Marketing Association showed that just over half of businesses say they are on course or ahead of their plans to be ready by 25 May 2018, with a further quarter of companies yet to even start a GDPR plan. Why are so many organizations unprepared? Uncertainty over the applicability of GDPR after Brexit may have stalled preparations in UK. However, as our previous blog highlighted, despite Brexit; ‘GDPR means GDPR’. The UK will still be a member of the EU when the regulation is enacted, and in any event, the extraterritorial nature of GDPR means it applies to any company worldwide doing business with EU citizens. Multinationals are taking notice, a PwC pulse survey asked C-suite executives from large American multinationals about their GDPR plans and found that 77% plan to spend $1million or more on GPDR, with over half of US multinationals reporting GDPR as their top data protection priority. The facts are clear: regardless of location; GDPR must be prioritized over the next year to avoid major financial penalties.
Consent driving customer trust
According to the DMA survey, B2B marketers are the least prepared, and the biggest change they’re worried about is consent. Under GDPR individual data rights are strengthened, with consent as the cornerstone of the customer data relationship. By enabling consumers to withhold and withdraw their consent, GDPR puts a high price on consumer trust. Organizations must review how they seek, obtain and record consent and ensure it is ‘freely given, specific, informed and unambiguous.’ Customers must know exactly what they consenting to and give an affirmative action – silence or inactivity or pre-ticked boxes will not constitute consent.
Looking at fines and consent non-compliance: article 83 of the GDPR states that infringements of the basic principles of processing, ‘including conditions for consent’ can be subject to the highest level of fines (so 4% of total worldwide turnover of the preceding financial year). Marketers are particularly concerned about what new opt-out consent requirements will mean for their organizations, and will mean losing access to customer data.
Consent management technology solutions
My advice? Don’t fear engaging the customer and use GDPR as an opportunity to engage in a trusted, transparent relationship and create new services built on two-way flows of permissioned data. In this digital age; data is the fuel that powers businesses and technology companies should be involved in every stage of the process.
Technology exists that can enable business to evolve to this new data protection paradigm by capturing and immutably recording legal basis for processing customer data (consent or otherwise). In addition, moving to all digital processes not only improves customer experiences but it drives down costs – welcome news to businesses increasingly under pressure to watch their bottom line and compete. Active consented data is more powerful than inactive, stale-dated information and businesses that embrace technology to solve GDPR, above and beyond ticking boxes, will win over those who don’t.