GDPR - New requirements empower the customers
“Try to see your business from the customer's point of view - and make sure that personal data is handled accordingly”, says Kenneth Westad and Hallvard Müller in Styrmand. The requirements of the new Personal Data Act and the GDPR are not more complex than that. But the change is nevertheless a demanding process for most. Awareness is low amongst many people.
In the summer of 2018, legislation introducing the governance of customer-specific data back to the customer itself will be introduced. The danger of a fine of 4% of the offending company’s turnover has given GDPR a lot of publicity, and some of it is on the verge of scare mongering, says Kenneth and Hallvard in Styrmand.
Hallvard Müller and Kenneth Westad
"GDPR does not really have so many changes to the legislation we already have in place in Norway. The biggest difference lies in the threat of huge fines from next summer. This has awakened many and started processes to put in place a better corporate culture and new routines around personal data protection. But despite much GDPR talk at the moment, it's also scary that there are so many that have not yet started,” said Kenneth.
Need active consent for everything
The recently updated Personal Data Act has all introduced requirements that customers must give active consent to data storage, that they should be well informed and that access and use of the data must be documented and relevant. In addition, customers should be able to withdraw consent, and it shall be followed up by actual deletion of the data. These rights must be supported by IT systems.
“We must simply have insight into what we store and how it is used. For most large businesses, this can lead to quite extensive work to define the gap between what actually is done and how to handle customer data instead”, said Kenneth. Coupled with the new Communications Protection Directive that will also be coming next year, all electronic communication to the consumer will be forbidden if you do not have active consent.
"You are not allowed to send out today's newsletter or e-mail about the customer relationship without active consent, and today's consent are mostly too poor”, says Kenneth.
People, not data
But even though the law focuses on customers and their ownership of personal information, there is a lot of talk about data, systems and storage, says Hallvard. The word "data" overshadows "customer" and GDPR ends too often up on the table of the IT department.
“That's the wrong approach. Handling and ownership of customer data is related to the management of the relationships to the customers and services offered. This is most of all a business challenge that belongs to the management level. Customisation of IT systems must come in second place”, says Hallvard.
"The board and management must understand that it is not certain that you can run the company anymore if you do not solve this in a good way. At worst, you will have to delete most of your customer data. This issue must be owned by Management”, says Kenneth.
With the right buy-in on the business side, the necessary review of the company's use and need for customer data could also be used to look for business opportunities.
"Everyone with personal information must go through a process, and if done correctly, it can yield value creation and positive cultural change in the company", said Kenneth.
Personal data management adapted to "Internet of Things"
The legislation is also a response to the rapid development of new technology and digital business models. As online usage increases and more and more digitalised services store customer data, there has also been a flow of services that want to connect different data sources. The high level of fines is itself a signal of what values are in these data in the years to come. Consumers have long lost control and overview of personal information. The law will give consumers more power in this development.
“Internet of Things is a reality and it brings together huge amounts of data about us. If one gather data about you from multiple sources, one can get a very detailed picture of your habits”, says Kenneth.
One example is online advertising, where data that a customer has bought grass seeds can be worth a lot for anyone selling lawn mowers and rakes. It may also be that insurance companies could benefit from being able to obtain data from heart rate monitors or to be able to purchase driving data from automakers.
At the same time, we know that many consumers also want such new services. It can be of great value to get services tailored to our individual needs. And adaptation to the legislation can also be used to customise the entire business into a new market of customer data.
“Look at the introduction of updated legislation as an opportunity to review what relationship one has with its customers and how it can be developed. Those who handle GDPR will best manage to create a positive cultural change in the company, where they will be more forward-looking in dealing with customer relations. It is a valuable starting point for identifying and launching good services and products”, says Hallvard.
Cleaning job on deletion and consent
But before you get there, companies should also be aware that there will be a need for a cleaning job next summer. After obtaining an overview of use and storage of own data, routines and solutions must be adapted to the requirements of the law.
"This applies primarily to obtaining new consent from customers for storage and processing. The other applies to systems and routines for actually deleting data if customers do not consent. Unfortunately, there are many systems that do not have good functionality for this today, so this can quickly become an IT project, internally or in collaboration with company vendors”, says Hallvard, adding reduced risk, better systems, better conscience and better business foundation is the reward. Many will also find that they get a comprehensive overview of something that has so far been spread over several separate silos in the company.
"There are a lot of positives here for the customers. One of the least customer-friendly one can experience is that different departments of the same supplier have a completely different view of one's customer relationship - and that some may not even know that one exists. In winter, we can also enjoy many great deals related to membership in customer clubs. Many will lure consumers to give different consents in this way to be ready when the law comes into force next summer”, says Hallvard.
"Just start campaigns to ensure that you do not have to delete customer lists”, says Kenneth.
You generally can not use the consents you have - start work on collecting new ones.
- Map your customer data - Find out what you have, what you use, who has access and which 3rd party you share customer data with
- Obtain valid consent from your customers
- Establish routines and systems that ensure that customer data is deleted when it will: Either after the purpose of the processing ends or when the customer requests the data be deleted
- Clarify that ownership of customer data belongs to the business side and try to use the mapping actively by thinking about added value in the dialogue with customers
- Make necessary changes to the ICT systems so that personal data can be moved or deleted on request
- Contact industry organisations and be active in their efforts to develop industry standards
- Enter data processing agreements; Contact your ICT suppliers and clarify how they handle your data
If you create order in your processing of customer data and get your consent, you can "do what you want" - create exciting new services.
And like everyone who talks about GDPR these days, we have to come with our little "disclaimer":
In this article we focus on customer records and consent to collect customer data. The new regulation and the legislation also addresses several privacy issues. About this we also have a lot of expertise, and practical experience from public and private customers. Do get in touch with us!