monsitj - Fotolia

Use GDPR to future-proof business models

Businesses should look beyond compliance with new data regulations to ensure that their business processes and models are in line with future requirements, advises a privacy innovation expert

Collaboration across business units is vital to compliance with the European Union’s (EU’s) General Data Protection Regulation (GDPR), according to Katryna Dow, CEO and founder of life management firm Meeco.

“Too many organisations have approached GDPR compliance as something that can be fixed by legal teams putting something in a policy document, which is just not the case,” she told Computer Weekly.

However, with the increased sense of urgency that is emerging because the GDPR compliance deadline of 25 May 2018 is just over six months away, Dow said some boards and senior executives are beginning to understand that the impact on their business is more far-reaching.

“This is about a convergence of consumer identity, identity and access management, marketing and personalisation, which requires access to more data, and the pressures of digital transformation in the context of a new regulatory framework,” she said.

The challenge facing many organisations, said Dow, is integrating those four streams of work around the customer. “This is one of the key things that senior executives really need to understand,” she said.

If organisations are dealing only with the legal aspects, there will be unexpected impacts on marketing and personalisation, said Dow.

“Similarly, if they are just dealing only with marketing and personalisation, they are likely to have a compliance issue, and if they are looking only at identity, there may be an unexpected impact on what they are trying to do from a digital transformation point of view,” she said.

The portfolio approach

Dow believes all four of these components have to come together in an integrated way to ensure maximum benefit for the business, which is why she advocates what she terms a “portfolio approach” to GDPR compliance that involves all four streams of work.

But, according to Dow, some marketing and digital transformation teams she has been working with have expressed the belief that GDPR has nothing to do with them, and that it is something the company lawyers will take care of.

“As a result, we expect that come May 2018, some marketers and senior execs will wake to find that their whole business unit is completely hamstrung when they see the impact that the GDPR is going to have on digital channels because of requirements such as explicit consent to collect personal data.”

Where organisations are not pursuing a portfolio approach, Dow expects companies to find themselves having to go backwards before they can go forwards because they are going to have to find a way of integrating those new legal requirements into their processes, products and services.

“If they are not doing that in a collaborative way already, that could result in a significant cost by the middle of 2018, and that is going to hold up a lot of companies in terms of their competitive advantage,” she said.

Dow emphasises that even if each of the four work streams are doing great work in their separate silos, collaboration and integration are key.

Read more about GDPR

“You might have the best design work going on around customer centricity, you could have a really transformational programme around customer identity, and you could have the best lawyers working on your back-end compliance, but when it comes to touching customers, it is going to about how those streams come together,” she said.

If organisations are not pursuing this approach already, Dow believes that, at a bare minimum, they need to ensure they understand how the legal, business and technology “layers” come together.

The legal layer is about the organisation’s approach to compliance; the business layer is about the impact of the new regulations on the business and the business models, and how that might change the way they interact with customers, create opportunities, or block existing lines of revenue; while the technology layer is about what digital technology will support the legal and business layers.

“Finding the supporting technology is, in some ways, the easiest of the three, but means that businesses will have to ensure they have the technical means to do things like collect and record consent, return data to customers, demonstrate that there is an audit trail, and comply with data subject access requests,” said Dow.

“If they are not using a portfolio approach across the business, then at least they have got to be looking at how the technology they have put in place still enables whatever business models they need to continue, and at the same time meets all the requirements for compliance.”

US firms ‘still in denial’ about GDPR compliance

Despite the emerging sense of urgency, Dow said many US organisations – including some large companies – are still in denial, believing that they are not required to comply with the GDPR.

“I can’t tell you the number of US companies that have said the GDPR does not apply to them, but when questioned, admit that they have European customers. That’s when you see the blood drain from their faces,” she said.

Dow said a recent survey revealed that senior executive at more than half of US companies polled were unaware that the GDPR applied to their business, that they personally were the officer who could be held responsible for non-compliance, and that they needed to have a programme of work around preparing for GDPR compliance.

“Many of the companies that are saying they are fine [in terms of compliance] are saying that because they are doing the data mapping and the compliance, but they are not necessarily thinking of their operating model going forward,” she said.

“I have not seen one organisation yet that has said: ‘This is our new marketing strategy. This is how we are going to build consent compliance into a great customer experience, and this is how we are going to leverage trust and transparency as a way to differentiate in the market’.”

While organisations are focusing on compliance with data legislation such as the GDPR or the revised Payment Service Directive (PSD2), Dow said it is more important to focus on the long-term applicability of business models and processes.

“These pieces of legislation are all a moment in time, but if this is the ‘new normal’, the real question organisations need to consider is how well aligned their businesses are to that,” she said.

“If customers having access to their data, if the need for contextual consent, and these new digital rights are all part of the new normal, the real call to action is around ensuring that businesses and business models are future-proof in terms of bringing customers into that value chain.”

Dow is to address this topic in more detail at Consumer Identity World Europe 2017 in Paris from 27 to 29 November in a session with IT legal adviser Tim Maiorino, entitled General Data Protection Regulation (GDPR) crash course: Ready to go?, which will be moderated by KuppingerCole principal analyst Martin Kuppinger.

Read more about consumer identity management

Read more on Privacy and data protection