The GDPR and data processing in the customer
GDPR, four letters that have been for some months in the heart of the concerns of the customer relationship players. The General Data Protection Regulation, approved by the European Parliament on April 14, 2016, will be implemented on May 25, 2018. This new European regulation will establish new rules to protect the personal data of European citizens and will have a significant impact on the corporate image.
In practice, what is the GDPR?
The GDPR aims to strengthen the security and protection of personal data in the European Union and will replace old directives and all relevant local laws. This regulation creates new rights for users and strengthens the obligations of companies and organizations processing personal data.
The 3 main objectives of the GDPR:
- To give citizens back control of their personal data
- To imply actors dealing with personal data
- To increase awareness of regulation through a system of penalties
The GDPR strengthens the control of EU citizens over their data by granting them a range of rights:
Who is concerned by the GDPR?
This new regulation applies to any company or organization processing personal data concerning individuals residing in the EU. Even if your company is established outside the EU, you must comply with the GDPR if your activities involve an offer of goods or services (even free) requiring processing of data related to persons based in the EU or their behavior monitoring.
“Personal data” means all data relating to a natural person identified or that can be identified directly or indirectly through this data. The e-mail address, the telephone number, the position held in the company are for example personal data. In the same way, the behavioral data collected on the Internet are considered as personal data if they are linked to an identity.
What consequences in case of non-compliance?
It is part of every company’s social responsibility to ensure that the privacy of its customers remains private. Data protection authorities will be entitled to impose fines ranging from 2% to 4% of annual turnover.
How does the GDPR impact the customer relationship?
Even if the GDPR imposes new obligations on companies managing personal data, it should not be considered only as a constraint.
At Apizee, we believe that the GDPR will have a positive impact on the customer experience. For companies, complying with this new regulation is also a real opportunity to demonstrate the importance given to the interest of their customers. The application of the regulation will improve the confidence of users on customer relationship players and facilitate further development of the digital economy in the European market.
Trust remains more than ever an absolute key to improving customer experience. Giving customers the control of their data, will certainly improve your brand image!
What can a company do to prepare GDPR compliance?
- Conduct an audit
As the GDPR concerns identifiable personal data, performing a full audit of how data enters, flows, and leaves your business is a good starting point. Ask yourself the right questions: what are you doing with this data? Do you have explicit permission to process them? Is information shared with third parties? Are there weak points in your practices? Are your SaaS providers GDPR compliant?
- Appoint a GDPR leader
If you are a public administration or if you are a company whose basic activity leads you to carry out regular and systematic monitoring of people on a large scale, you must appoint a DPO (Data Protection Officer) who will carry out an information, consulting and internal control mission. And even if you are not formally obliged to appoint a DPO, it is strongly recommended to appoint a person to manage the governance of your structure’s personal data.
- Inform your customers and make sure you have their consent
If you want to use the identifiable data of a person, you will have to obtain his/her explicit consent. Companies will also need to be prepared to answer customers’ questions about how their data is being used and publish their privacy policies in clear terms, so they can be easily understood. It is important that your whole team (not just those in direct contact with the customer) understand the GDPR. Train your staff to handle customer queries about their data.
- Facilitate the right of access, rectification, forgetting and portability of data
The storage systems used by your teams must all allow the modification, deletion and portability of data without complications or security problems. To meet access and portability demands, you need to ensure that your systems enable fast, easy, and common data export.
- Manage the risks of data breach and leaks
All companies will be required to report data breaches to their competent supervisory authority, and in some cases also to users concerned. This refers to any security breach that could result in the unauthorized loss, access or disclosure of individuals’ personal information. At the very least, your agents need to know what constitutes a data breach, the rules surrounding data security, and how to notify management of any breaches. It is advisable to implement an action plan to deal whit that possibility.
- Document your compliance
To prove your compliance readiness, you must create and consolidate the necessary documentation. Actions and documents completed at each stage must be reviewed and updated regularly to ensure continuous data protection.