On May 25 this year changes around data collection in relation to the freedom of data came under the auspices of new General Data Protection Regulations or the GDPR.
GDPR requires organisations to implement reasonable data protection methods to protect EU citizens regarding data processing and the free movement of data. Strict new rules will apply to rights of access, rectification, erasure and restriction. These new regulations will be directed at all companies worldwide that collect and process personal data of EU citizens.
Personal data is defined as any information related to an identified customer such as a name, telephone number, location, or cultural or social identity of that person.
Sensitive data is a special sub category relating to ethnicity, financial status, religion, sexual orientation, age etc. Children’s data is a particularly complex area.
Data collection must be managed whether collected directly at source or through a third party ‘cloud’ provider.
Data must be protected in a compatible way contained within its original legal basis. It must:
1. Be legal fair and transparent
2. Have a limited purpose
3. Be minimised
4. Be accurate
5. Have limitation on storage
6. Be confidential
7. Be managed with integrity
The Information Commissioner’s Office (ICO) is the regulatory body for data protection and will have a number of ways to take action in order to bring about the desired changes in business practices around data protection.
Non-compliance could result in severe monetary consequences such as fines of up to £20m or 4% of global turnover. If the ICO takes action against a company its first step will be to issue a press release naming the business and giving details of the non-compliance. Publication of this information in the press or across social media could cause severe reputational damage resulting in loss of existing clients or new business opportunities. Data breaches could also result in criminal proceedings and convictions as well as civil litigation suits being filed by affected individuals.
Many areas of the regulation are ambiguous and therefore it is essential that businesses carry out a risk assessment to determine their level of compliance with the regulations and show they have taken reasonable steps to adopt the basic principles of the new regulations.
It is also essential to examine carefully how GDPR will affect the customer relationship and the overall customer experience. As the potential penalties for non-compliance show, getting the GDPR response wrong will not only incur huge fines but will also cause irreparable damage to the customer relationship.
Businesses that that embrace GDPR can turn it into an opportunity to build up stronger customer relationships with clearly identified, verified, updated, relevant and secure data. A well-structured and responsible adoption of the new regulations will help companies to strengthen their customer trust, gain deeper customer understanding, increase customer engagement and ultimately exceed customer expectations.