Myth – GDPR is an expensive and time consuming compliance headache.
Not true! 40% of companies yet to do something about it (Institute of Director research). These are the companies that have a strategic opportunity and if looked at in a customer context the compliance overhead is nowhere near as complex as it first appears.
Read on and I will explain.
In about 6 months from now, the General Data Protection Regulation (GDPR) will be coming into effect. This new regulation has been enacted in 2016, and many organisations have been investing time and resources to prepare and be compliant by May 2018.
However, there are still many organisations that have done nothing, hoping it will somehow “go away”. The thing is, despite Brexit, the GDPR will apply in the UK because 1) it is being rolled into the UK Data Protection Action, and 2) many businesses have a customer base across Europe, and to continue to market to them, they need to comply with this new regulation.
Whilst a lot of the talk has focused on the stricter compliance requirements and the hefty fines (increasing from a maximum £500,000 under the current regulations to up to €20M or 4% of global turnover, whichever is higher), businesses should instead leverage the opportunity that GDPR presents.
How could this be done? Well, the open nature of the legislation makes it a principles-based regulation, centred around two key principles: accountability and transparency. As the legislation does not provide definitive answers, businesses will have the flexibility to define new data handling practices that allow them to meet their business requirements, while at the same time satisfy the principles of accountability and transparency.
Ultimately, embracing the GDPR will allow businesses to gain competitive advantage and achieve operational efficiencies, including:
Demonstrating Accountability may be simpler than it seems:businesses should invest in establishing organisational processes and procedures to ensure they are handling the data in a compliant way. This includes data handling policies and processes, breach prevention and management procedures (in the event a breach does occur), training programmes, and regular audits to ensure the policies and procedures are being followed. By having these in place, and documented, businesses will be able to demonstrate that they have taken measures to be accountable.
Gaining customer trust: the Transparency principle means that organisations have to be able to demonstrate that they process customer data fairly, and this is a fundamental factor to create customer trust, and gain their loyalty over the long run. Organisations that implement good data handling practices, document them and can prove it will win the trust of their customers.
Improving data retention practices: there are many bad practice examples of organisations that keep customer data indefinitely and communicate with inactive and unengaged audiences. This costs money and generates low ROI. On the other hand, there are those organisations like Wetherspoons that deleted their entire email database to focus on their web and social channels where engagement is much stronger. With the GDPR, businesses should not keep data longer than needed, as such it would be an opportunity to delete old records that are unresponsive, and focus on interacting with a smaller yet more engaged audience instead.
Establishing an integral data protection policy: the GDPR applies not only to customer data, but also extends to employee, supplier and other 3rd party data. Establishing an integral data protection policy will ensure compliance with the GDPR for all these different data types, while at the same time gain the trust and loyalty of both these internal and external stakeholders.
In summary, while the lack of compliance carries a cost, investing to become compliant creates benefits that will impact the bottom line positively in the long-run. So let’s stop being afraid, and let’s get excited about the opportunity that the GDPR offers.