As challenging GDPR may be for those working on compliance, the regulations should force a deeper appraisal of what values companies apply to their interactions with customers.
It should serve as a mechanism for brands to deepen relationships with their customers around consent. For those willing to think beyond pure compliance, GDPR presents a chance to build consumer trust at a time when trust is scarce.
“GDPR is all about trust and transparency,” said Martin Sloan, a Partner at Brodies. “That means organisations must clearly articulate what they do with personal data and why, where that data is collected from, with whom it is shared, and for how long it is retained. Organisations also need to explain to individuals what their rights are.”
“The Information Commissioner, Elizabeth Denham, has said that her office’s immediate concern is ‘invisible processing’. If an organisation fails to explain what it does with an individual’s personal data, then that processing may be unlawful.
“If processing is being carried out on the basis of consent, then the individual needs to have a genuine choice and clearly understand to what he or she is being asked to consent.”
The scramble by companies to comply has largely been about avoiding the risk of being fined. Rather, it should raise questions about corporate values. Customer data is both a source of competitive advantage to the company and the subject of rapidly-increasing suspicion to consumers.
It is fundamental to digital business models and the most precious thing a customer can share. In some ways it is more valuable than money. As consumer concern about privacy grows, how companies treat data will define the brand experience.
“Organisations should use GDPR as an opportunity to stop and think about how they use personal data,” added Sloan.
“At a time when individuals are becoming more aware of their rights and questioning what organisations are doing with their data, there is an opportunity for organisations to embrace GDPR and the principle of transparency to help build trust.
“That in turn should help organisations that embrace GDPR to succeed, whereas those that do not may find individuals less willing to engage with their products and services.”
GDPR will re-set expectations for consumers, both in Europe and beyond. It will explicitly tip the balance of power their way, giving them real control over what data they share and how it is used.
Those companies that welcome the change, that treat their customers as partners in how they use their data, that truly put their customers first, will build new levels of loyalty and unlock even more opportunities to put data to work.
- GDPR is a revolution in data protection: The principles that underpin GDPR are largely the same as those that apply under current data protection law.
- High fines will be commonplace: Fines are just one part of the ICO’s toolkit for enforcing GDPR – alongside issuing warnings, reprimands and corrective orders.
- A product/service can provide GDPR compliance: While technology undoubtedly has its part to play in compliance, it is not a solution.
- Every personal data breach needs to be reported: Not if it is unlikely to result in risk to the rights and freedoms of individuals – but the organisation must retain a record of it.
- There is an exemption for small businesses: That exemption is qualified. In particular, it will not apply where the organisation processes special categories of personal data, such as medical information or trade union membership. As most organisations will hold special category personal data relating to their staff, the exemption is likely to be very limited.