The GDPR, Implications on Businesses and cIAM
Almost a year’s time has passed since Europe’s highest law making bodies adopted the far-reaching General Data Protection Regulations (GDPR). A little more than a year’s time is left before these new customer data regulations come into force. To be slightly more precise, businesses around the world have about 466 days (at the time of writing) to prepare themselves for a new era of customer-business relationship. EU GDPR come into force on May 25th, 2018 and maybe a little earlier in a few other European countries like France.
You may ask – So what? What’s the fuss about these new regulations? They can be handled all the same, right? Not really. Not this one.
And, why should you be concerned if you are not European or dealing in Europe?
The third question to ask is how does a business go about navigating the new contours and how a Customer Identity and Access Management (cIAM) system can help.
We’ll get to what the EU GDPR is all about and what it means for businesses but let’s get you straight into the game answering the second question first. If you are a business operating somewhere out of North America or Asia Pacific, these European rules shouldn’t concern you, right? Absolutely not. Because unlike the past data protection directives, the jurisdiction is not geographical in nature but extends to every entity on this planet processing and holding EU residents’ customer data. That’s right.
The summary of the GDPR states, “The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations.” Well, you have one European (resident) customer and his or her data on your books and you are in the GDPR net. As simple as that.
And no, Brexit is not really going to help.
Well, now that’s quite clearly spelt out and you are probably going to be in the GDPR net, it’s time to get to know the actual regulations.
What are the EU General Data Protection Regulations? The GDPR are new rules by which Europe intends to strengthen customer personal data protection regimes for European residents. They are going to replace the Data Protection Directive which currently regulates the customer data processing within the European Union. The GDPR defines personal data as “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.” As you can see, the definition of personal data has been significantly widened. So, if businesses, even the smaller ones, capture even a EU resident customer’s name or email address, they are supposed to comply with the GDPR at all levels.
If we just have to define the main features of the GDPR, the following pointers would provide a broad summary.
- Consumers now get the right to be forgotten which means, on the request of a customer, businesses must erase all personal data from their systems.
- Privacy by design for customers facing software systems and processes to comply with the new data protection principles.
- Businesses dealing with EU resident citizens will no longer be immune on account of geographical jurisdictions. GDPR gives EU citizens right to approach any data protection authority and the latter can take action against any company based anywhere in the world.
- Businesses have to prove valid customer consent for collecting and processing any form of customer data.
- It will be mandatory for companies to conduct Privacy Impact Assessments (PIA)to minimize privacy risks to customers.
- Data breaches have to reported within 72 hours of discovery to the local data authority.
- Liability in the event of any eventuality will now spread to every organization that comes in contact with the personal customer data and not just the data controllers alone.
- As already stated, GDPR applies to any company collecting personal data belonging to EU residents. And, personal data, as already defined, is anything starting from a name or email address.
It is true that rules currently in force, the EU Data Protection Directive, also have the best interests of customer data privacy at heart. But, those rules were first formed almost two decades ago. The entire customer data collection environment has evolved tremendously since then and more so over the last few years. Non-complying businesses could still get away with it and set shop in safe havens.
That is definitely not going to be the case from next year as PWC expects customer litigations and class action suits to rise tremendously as a direct result of the implementation of the GDPR.
Direct Implications of the EU GDPR on Businesses
The most obvious and general implication of the implementation of the EU GDPR will be that businesses have to fundamentally bring changes in their software architecture to ensure compliance to the new data regulations.
At a more specific level, the implications of the enforcement of the GDPR are many. Beginning with the right to be forgotten that the regulations introduce, it requires that businesses build holistic, unified profiles of customers along with the provisions for permanent erasure. Many companies currently collect customer data from multiple sources building profiles that are disjointed. The need for centralized customer profiles is now more than ever. At the same time, even before a customer exercises his or her right to be forgotten, the extremely broad and all encompassing definition of personal data means that every bit of this data needs to be centralized within the organization.
The introduction of privacy by design will bring about a paradigm shift in business-customer relationships, more so because it will now be legally required. However, a lot of businesses are still not ready for this shift owing to the lack of adequate privacy and consent mechanisms in place. Consent with GDPR should be explicit and clearly stated along with recorded proof of it rather than the current practice whereby consent is mostly implied. As a direct result, user workflows will change and additional permission requirements will have to be introduced. But more importantly, at a business level, organizations must be ready to face situations where customers don’t give their consent for specific iterations of data collection which in turn means less data to work with. At the same, companies must also become more holistic in their approach taking into account their whole stack rather than looking at individual software tools for implementation. Integration in the marketing stack and technology stack becomes more important now not just from a marketing standpoint but also from a GDPR compliance standpoint.
The GDPR will also make it imperative for businesses to install additional nodes and processes within their organizations to discover data breaches, manage such incidents within specific timeframes. Businesses would also be required to appoint data processing officers to monitor collection and processing of customer personal data besides regular audits regarding the same.
There are several other adjustments that businesses will be required to make in the marketing and technology stack but the ones described above are the most important, in our opinion.
The Role of cIAM in GDPR Compliance
Customer personal data will likely become the focus after the EU GDPR comes into force from May 25th, 2018. And this means every businesses collecting and processing any amount of customer data will have to be on guard and ensure compliance. Mind you, the penalties for non-compliance are heavy.
This naturally brings us to the role of specific marketing tools like a Customer Identity and Access Management (cIAM) platform in such a scenario. In the marketing and technology stacks within an organization, there are multiple tools that process customer data to various ends. However, a cIAM platform plays a pivotal role when it comes to customer data collection and primary processing through customer profile construction. Hardly any other software tool performs this critical function. As an implication of the GDPR, managing customer identities, building and storing unified customer profiles is of paramount importance. As such, a cIAM platform makes compliance with the new EU regulations much easier while also vastly reducing the degree of compromise.
As already elaborated, the maintenance of holistic, unified customer profiles would become all the more important for businesses and a cIAM platform can help accomplish this at scale. Consent management is also most commonly a very important component of cIAM platforms although minor tweaks may be required in order to meet explicit consent mandates.
Analysts are also pointing out the GDPR will hasten customer identity management platform adoption among businesses. But, it is important to realize that while a cIAM platform may be a good partner on the road to EU GDPR compliance, it is not the only one. Organization wide changes will be necessary because customer data flows through every software tool in the marketing stack and most in the technology stack. And so streamlining the entire stack within an organization is imperative. There isn’t much time left.