GDPR Two Months In: Lessons Learned
The EU Global Data Protection Regulation – better known as GDPR – went into effect on May 25, 2018. This comprehensive privacy law streamlines data protection requirements across the EU, but it also has global ramifications for the export and utilization of EU consumer data. Before the law went into effect, we published a comprehensive GDPR breakdown. Now that GDPR is live, we want to share some insight into establishing and maintaining compliance.
You may be wondering: the ruling went into effect on May 25th, why would merchants still need to establish compliance? Depending on whom you ask, only about 50% of companies are fully compliant. Furthermore, the law affects companies that have any customers in the EU and includes companies who both control and process this data, such as cloud-based platforms.
A Streamlined Approach
Non-compliance can have potentially dire financial consequences, as violations can carry fines of up to 4% of global annual turnover or 20 million Euros. Given these costly penalties, companies must quickly find ways to either establish or maintain compliance. For those who are not compliant, they can attain it via an “MVP” (minimum viable product) approach: first, establish compliance and then further improve operational efficiencies and consumer experiences in subsequent, iterative phases.
A large portion of GDPR revolves around a consumer’s right to request, delete, and manage his or her own data. This means that these manual processes inherent to the MVP approach will need to facilitate a number of different requests. When putting together future optimizations, companies should focus their implementation efforts on the most impactful compliance optimizations.
Simple, manual processes can be implemented to meet MVP requirements. For example, companies can enable customers to contact a call center or submit data requests via email. IT support teams can fulfill these requests in back-end systems.
One way to do this is to determine which requests are received most often. The company can then look to automate these request flows. This begins with monitoring the types of requests that come in to highlight the best areas to invest in. Request types may also vary by industry. For example, in the case of data portability, there will be a higher demand in industries that have more robustly personalized content (e.g. streaming services).
Customer data can be very complex and span across many systems downstream from the customer touchpoint. Demographic data collected through eCommerce, CRM, and 3rd party integrations (e.g. loyalty programs) can be stored in a number of databases, and if there are multiple products used in the European countries (e.g. local marketing databases for each country), companies must make sure every single system is compliant.
Another key to GDPR compliance is involving legal resources as early as possible in scope clarification discussions. Data field descriptions are often not easily understood by legal teams and may require working sessions with relevant SMEs. For example, there may be flags (numeric or otherwise) in the customer profile that are specific to the company’s systems. These need to be interpreted by a product team SME in order for legal to determine if the data is affected by GDPR. Establishing communication early with legal resources until the full scope is delivered and approved helps simplify the daunting task of sorting through complicated customer data.
Equally as important to supporting GDPR compliance is forming smart business processes to manage incoming requests. Due to the scope of the regulation, there are many handoffs between systems to ensure requests are fulfilled and all affected data is updated, removed, etc. Removing one customer’s data from all of a company’s systems could require a handoff of a request from a first level helpdesk, to local marketing database admin, to an eCommerce platform admin, to a data warehouse admin, and so on.
Building processes early on will help to determine how an “MVP” or end-state solution can be effectively supported, all while minimizing rework and disruption to ongoing business. GDPR regulations include a 28-day SLA (Service Level Agreement) from when a customer makes a request to fulfill it, so this can impact a company’s ability to meet these SLA’s and help to avoid penalties.
Though there have been few requests thus far, the potential cost of a violation can be very costly. Companies must evaluate the most effective way to quickly attain compliance without disrupting ongoing business. GDPR compliance is more than simply managing a database of customer data – it involves multiple resources across multiple business units. Legal teams must be able to work closely with product SMEs to identify all related data.
Perhaps one of the most important (and often overlooked) elements of GDPR compliance is having a consistent business process in place to support incoming requests. It remains to be seen what the volume and types of GDPR requests will be, but focusing on developing an “MVP” solution, supported by effective business processes, can help companies minimize the risk of a violation while enabling their business to effectively leverage valuable customer data and grow.