Nelos - Fotolia
It must also be informed, unambiguous and freely given. This also means that any new purpose of using data requires additional explicit, informed, and unambiguous consent. And that consent can be revoked at any time.
This is the reason why the EU GDPR is first and foremost a business challenge. Not primarily an IT challenge, not an IT security challenge, nor a data protection challenge. For sure, it is a challenge for CIOs, chief information security officers, and data protection officers. No doubt, there are a lot of complex challenges to solve. But the main challenge is about the impact on the customer relationship.
Let’s look at three scenarios:
- Customers who register for a service for the first time and are asked to give their consent.
- Customers who are already registered for a service and must give their consent before the GDPR becomes effective.
- Adding a new purpose to a service that requires asking customers for additional consent.
Due to the consent requirements, case number one will become more complex than today. Customers will better understand what personally identifiable information (PII) a service collects and what the service does with that data. They will be enabled to make informed decisions on whether to use the service at all and whether they give consent to all purposes.
Read more about consumer identity
- Customer identity and access management has benefits for consumers and service providers alike, but is key to digital transformation, says KuppingerCole.
- Business demand for consumer identity management capability is growing to enable new business models, improve customer engagement and ensure General Data Protection Regulation compliance, says KuppingerCole.
- Business and GDPR to drive consumer identity projects.
Obviously, the purposes that are more interesting to the customer are more likely to be accepted, while the ones that bring money to the service provider (such as selling data for targeted advertising) are less likely to become accepted. Clearly, many customers will just accept, but others will not.
So, what about scenario number two? While many people believe that this is straightforward and anyone will accept anyway, I doubt it. A significant portion of the consumers of the service will review and (rarely) leave or (more often) revoke consent at least for some of the purposes. They also might accept at first and later on come back and revoke some or all consent.
The third scenario is, from my point of view, the most challenging one. Data has been collected and now the service provider asks for consent for a new purpose. The obvious question from the customers will be “what’s in for me?”. If that is crystal clear, fine.
If not, if only the service provider benefits (“I want to sell your data to someone else...”), it will be far less likely that consent is granted. In such scenarios, service providers will have to identify a benefit and demonstrate to their customers that this is a balanced deal. There will be a price to pay for consent. Monetising data will become more expensive – sometimes even uneconomic.
Read more about GDPR
- Businesses dealing with EU citizens’ data urged to ensure they are on track to comply with the GDPR in less than 16 months, as the world marks Data Protection Day 2017.
- The Information Commissioner’s Office sets out plans for publishing guidance on the EU General Data Protection Regulation (GDPR).
- The Information Commissioner’s Office is to publish a revised timeline for the UK implementing the EU’s General Data Protection Regulation after Brexit.
In essence, it will become far more important to demonstrate the value of a certain consent to the customer than before. If the value is limited for the customer, it then becomes necessary to persuade the customer in some other ways that it is good for him to give his consent.
But the balance between customers and business will change. That must be understood, and businesses must find an answer to that challenge by providing better service while collecting less data; by innovative ideas on how to persuade their customers (I just recently was asked to participate in a lottery with really cool prizes for giving consent to marketing spam); or even by changing the business model, e.g. from services paid by PII to services paid by money.
Given that GDPR has a direct impact on the customer relationship and even the business model, all businesses that are affected by the EU GDPR must make this a C-level topic now. It is a challenge, but also an opportunity for better customer relations than ever before – if businesses do it right.