Expert panel explores the practicalities of GDPR for customer data
With the GDPR implementation deadline looming, organizations in both the private and public sector are amping up their efforts in order to achieve GDPR compliance in time.
At the Liferay Digital Solutions Forum, Liferay UK's annual event last November, we gathered three thought leaders who now stare GDPR in the face on a daily basis. Cybsafe CEO Oz Alashe, UK Cloud’s Commercial Director Nicky Stewart and Everis’ Data Management and Analytics Technical Manager Oscar Alonso all joined me for a panel discussion, representing the private sector, public sector and the consulting realm respectively.
Mike MacAuley, General Manager of Liferay UK, kicked off the conversation by asking about the first step towards GDPR compliance and interestingly the topic of mindset was immediately raised.
“GDPR is About Respect For Data”
“GDPR [is all about] respect for data as it applies to individuals,” Oz Alashe explained to the audience.
“While we all look at the mountain of work that needs to be done to become [GDPR] compliant, rather than just looking at GDPR as something we have to legally comply with, [let’s] actually consider GDPR as something which is a very, very good thing,” he said.
Part of that respect, according to Nicky Stewart, is about having an educated workforce:
“[Your first step should be to] educate staff about GDPR. Then, ensure you have 2-3 people in your organization who have an absolutely sound [legal] understanding of what GDPR is and how it’s different from existing legal requirements,” Stewart said.
Again, the emphasis on mindset and education was intriguing. Alashe’s positive take on GDPR was refreshing, and as this article will continue to show, it highlighted the benefits that GDPR brings to the table — like increased transparency and trust between organizations and data subjects.
Stewart’s input was equally imperative. All staff handling data need to be aware of the implications of GDPR, while each organization should appoint a handful of leaders who understand the legal landscape well enough to massage data protocols into compliance.
The Risks of Falling Short
Alashe went on to describe the next steps for an organization that has altered its mindset to be more accepting of GDPR. According to him, it’s about, “understanding what data you hold, where it is, how it’s stored and how you look after it.”
Oscar Alonso was of the same opinion, stating that he was, “not sure whether most brands even know where all their customer information is, which is why we’re creating tools [to help our clients locate their data].”
Nicky Stewart also echoed Alashe’s input, stressing to the audience how important it was to first and foremost, “understand what data you are holding, where you are holding it, and what the legal basis [is] for having that data.”
Undoubtedly, all three of our panelists were on the mark here. The first practical step towards GDPR compliance is identifying what data you currently hold, and how it’s being used. Once you know that, you’ll know exactly what the following step should look like.
Before long, the panel discussion turned to the risks of falling short of GDPR compliance. I put it to the panelists that, while organisations tend to focus on the financial impact of not being GDPR compliant, perhaps the bigger risk is reputational damage and losing the public’s trust.
“There will be a number of organisations who attempt to prepare for GDPR but won't quite meet the mark. Some will take the risk and wait to see what happens,” Alashe claimed.
But he also emphasised that falling short of GDPR compliance isn’t, “just about the [GDPR] fines.”
“The thing that's really hard to calculate is everything that comes with the loss of the public’s trust,” Alashe said, “and these fines or cautions are all declared, [so the consumer will be aware], that can all get very painful.”
Just to remind you of just how steep those financial penalties are, a “lower level” GDPR infringement exposes an organisation to a fine equivalent to €10 million or 2 percent of their annual revenue — whichever is higher. For “higher level” infringements, the fine is doubled to €20 million or 4 percent of annual revenue. Very painful indeed.
Yet, you can’t help but agree with Alashe that the true risk is not the money itself, but the reputational damage a GDPR fine or caution could cause. That’s because all fines and cautions will be declared publicly — making a brand’s incompetence in regards to data privacy the talk of the town.
Blurred Lines: The Private Vs The Public Sector
GDPR does not discriminate between public and private sector entities by holding them to different standards, and yet there are differences in why and how those two industries make use of customer data.
Mike put it to the panel that in the private sector, brands want to leverage consumer data for marketing purposes, to spot trends and to ultimately boost their bottom line. In the public sector on the other hand, data collection is simply part and parcel of identity management, as individuals need to be identified for purposes such as tax, housing and general identification. So, while both parties are concerned about how GDPR non-compliance may hurt their reputation (not to mention their pockets), it’s fair to say that they have different reasons for why they want to harvest, store and use consumer data.
Thankfully, our panellists hailed from both sectors, so we gleaned insights from both sides of the coin.
“Whether it’s a public or private sector organization, the reason they want data is either to do research, provide a service or help identify people,” Alashe said.
“However, I don’t think it’s right to say that the private sector is only concerned with marketing because identity management also comes into play [in the private sector], as private companies also want to manage the identities of those we provide services to, and to protect them. So there is some blurring [of the lines] there, despite the fact that there are some distinctions. But the level of respect for data applies to both sides,” he concluded.
GDPR And The IoT Problem
During the discussion, Nicky Stewart highlighted another pain point that GDPR is going to push down on — the problem of data in relation to IoT devices.
“Artificial Intelligence [is] improving government service experiences — [two examples being] the DVLA and HMRC running pilots of Amazon Alexa. So as a citizen, what are your reasonable expectations, because you think you’re interacting with the government and that your data will be used in one way, but instead, your data will be [in the hands of] Amazon. ” Stewart said.
She probed into the issue further, asking about how GDPR applies to these new technologies, not to mention to technologies yet to emerge. The problem is, with every new gadget that gains popularity, a swathe of user data accompanies it. Yet, Stewart continued, the minds behind those yet-to-be-invented technologies “aren't necessarily going to be thinking about data protection regulations [when they think up these brilliant new ideas and devices]. It’s a really hard problem.”
Stewart raises an important point, as Gartner is already forecasting that 90 percent of brands will have a Chief Data Officer (CDO) by 2019 just to handle the enormous IoT-fuelled data boom. As for how GDPR will apply to all these new technologies, there is, for now, no truly comprehensive answer.
The Good News: How GDPR Can Boost Your Brand
Towards the end of the discussion, the panel finally drilled down into the good news: GDPR is an opportunity to enrich your brand’s reputation and build trust.
“GDPR is an opportunity [for brands] to stand out [from their competitors] who are not [totally] GDPR compliant,” said Oscar Alonso.
Alashe told the audience that being GDPR compliant will “demonstrably show [that your brand] takes customers seriously and that you take care of their data.” he also said that it was an opportunity for brands to present themselves and their services in the most effective way.
This is indeed one of the more obvious benefits of GDPR, because as previously mentioned, all fines and cautions in relation to data protection will be declared — so if you’re excelling in caring for your customer data while your competitors are being publicly cautioned or penalised, the public’s trust will quickly flood in your direction.
Alonso went on to describe how he sees GDPR playing a role in data monetization, explaining that “[companies may begin offering] two product versions, one with fees if the consumer withholds consent to their data being used, and one without fees, where the brand gets full access and consent to the customer’s data. This [practice] will become typical.”
So, with brand-boosting opportunities in the midst, along with the chance for brands to begin monetizing data privacy, maybe GDPR isn’t all doom and gloom after all?
GDPR Compliance: Just Do Something Already
Let’s be frank, GDPR preparation is nothing to take lightly. As Nicky Stewart said in one of her addresses to the audience:
“There is a lot to do, and I wouldn't underestimate it. I spend a lot of time dodging software houses [offering me their services] as a silver bullet for GDP compliance, but you can't get it out of a box, there are all sorts of things that you need to take into account.”
And yet, following each panel member’s opening statement on getting started with GDPR preparation, Mike remarked that there seemed to be an element of, “the best place to start is to just get started,” in the air — a quip that was met with a unanimous “yes” from all three panel members.
And as the discussion wrapped up, Stewart advised organizations to “get going now,” while Alonso also urged us to “keep calm and prepare — but do it right now.”
It all echoed the famous Mark Zuckerberg quote, “done is better than perfect”.
After all, when it comes to falling short from a legal perspective, your intentions play a pivotal role. With that in mind, it’s better to do something with the intention to be compliant, rather than scramble for perfection and never truly getting started at all — which is unfortunately a trap we see many brands falling into.
In summary, the key takeaway for both the private and public sector is: GDPR compliance is as much about getting started as it is getting it perfect. So start!
How are your GDPR preparations coming along?