With the GDPR (General Data Protection Regulation), the collection and use of personal data will be harmonised and regulated in European Union countries. Objective: to restore the trust of individuals in the processing of their data. This renewed trust is a real business issue for companies on the way to “GDPR compliance”.
No viable digital economy exists without trust. However, 72% of Europeans fear the improper use of personal data, quotes Viviane Reding, ex-European Commissioner for Justice, Fundamental Rights and Citizenship. In the face of these two findings, the European Union is responding with these four letters: GDPR (General Data Protection Regulation). The European regulation for protecting personal data, which is planned to come into effect on 25 May 2018, highlights notions of transparency with regard to the person concerned in the use of his/her data, from its collection to its processing and archiving, up to its deletion.
Transparency in the management of personal data: a differentiating factor
Precisely on the collection side, the obtaining of the customer’s consent, with the French Loi Informatique et Libertés (data protection law), was intended to be clearly identified with CNIL (Commission nationale Libertés et Informatique – French data protection commission) notice templates. However, has anyone received an update of these notices at any time? The GDPR will make this update mandatory for any new use. For example, if an individual takes out car insurance with an insurer, they will sign consent to the use of their data through their policy (identity, contact details and driving licence). If tomorrow that same insurer offers to install a good driving tracker in that person’s vehicle, it must have its customer sign new CNIL notices to consent to this new perk for the use of his/her data, such as statistical analyses which can help him/her in his/her driving.
Source: Viviane Reding, ex-European Commissioner for Justice, Fundamental Rights and Citizenship
For the company, this is a means of standing out from the competition and communicating about its good practice. By developing customer trust – through, for example, a charter or communication on undertakings in this area, or even the building of a label within a business sector – companies will improve their image and will position themselves as agents of trust. A decisive element in business development which meets a strong expectation of the individuals.
Companies with the “GDPR compliant” label will be more competitive
We can imagine that from May 2018, insurance comparison sites or search engines will highlight companies that are certified to be GDPR compliant. Consumers will be able to click on them more easily, as they will be more reliable in their eyes. Especially since transparency does not stop at the organisation’s borders – it also affects subcontractors. And any company has to call on partners that provide sufficient guarantees in terms of the protection of personal data. If one of the subcontractors does not meet its obligations, the whole chain will be in default and the brand’s reputation is therefore affected.
A risk-based compliance approach
Source : ‘ Baromètre “Usages Mobiles” ‘ (EBG – Open)
So how should such a transformation programme be undertaken? It is important, as early as possible in each project, to define its ambitions. Does the company want simply to be compliant or to go the extra mile to define other areas of focus around the personalisation of the customer relationship? It is possible to make it so that these new requirements serve different areas of focus for the company around the strategy for improving the customer experience (exhaustive, global and updated) or for its variations in the data governance policy.
Laying the foundations for compliance involves diagnostics with a risk-based approach. In less than two months, this method has the advantage of focusing on at-risk data (bank details, Social Security number, offence, social difficulties and sentencing data and geolocation in real time) and the most sensitive data (health, genetic and biometric data, racial or ethnic origin, union membership, political convictions, religious denomination, sexual orientation, etc.), and providing an overall view of areas of vigilance. Each identified requirement (data mapping, holding and updating the processing log, appointing a DPO, etc.) is allocated a score: first of all, how high is the hurdle to be overcome to reach compliance? What are the priorities? How much will it cost? What skills do I need? The risk-based approach means that work can be prioritised, which means starting with quick wins, then taking time to establish guidelines for the more onerous jobs by defining a multi-annual course to compliance.
Once the GDPR comes into force, CNIL will play close attention to the roadmaps submitted to it (this is the accountability principle advocated by the GDPR), just as customers will be sensitive to good-conduct practices by companies. Two good reasons for incorporating the protection of personal data in all your conversion programmes from now on, and also be in perfect harmony with privacy by design, another cornerstone of the European regulation.