The announcement of GDPR sent ripples throughout the business world. Companies which focused on sales and marketing were quick to start worrying – suddenly, they had to completely rethink how they were able to store and utilize customer data. Gone were the days of keeping unwilling customers on file and constantly reaching out to them. The pool of potential leads began to drain, with serious penalties threatening anyone who treated the regulations as needless red tape.
Worse still, there are few companies out there which can claim that GDPR does not affect them. Virtually all businesses now handle customer data in some form or another, and failing to collect, store or utilize it in line with the new European regulations can result not only in mountainous fines but also disastrous reputational damage.
Despite this, many organizations failed to fully comprehend the scope of change required to become compliant with GDPR by the 25 May 2018 deadline. The new legislation requires changes not only to storage and IT, but also staff behavior, advertising, cybersecurity, customer support and more!
However, that is not to say that GDPR is wholly negative. It can even be seen as a vehicle for positive change: with greater data security and a more receptive customer base, businesses can exercise a more personal and granular approach, with the potential to not only remain GDPR-compliant but also enjoy greater efficiency and boosted profits. Many businesses are even treating GDPR-compliance as the new ‘going green’ of public relations. For example, you could take the time to show customers how much you care about their privacy by incorporating GDPR into your advertising!
Still, there is no shortage of companies which are still only just now starting to understand why it is so crucial to study GDPR. Let’s take a look at some of the biggest reasons why upskilling your staff in GDPR should be a key priority for your company.
How will I be penalized for data protection breaches?
Before we move on to the benefits of studying GDPR, we should get the penalties out of the way. There is no denying that failing to incorporate the General Data Protection Regulations can be disastrous for absent-minded businesses.
- Lesser fine: Infringing on your obligations (such as allowing data security breaches) can carry a fine of up to €10m or 2% of your company’s annual global turnover (whichever is highest)
- Maximum fine: Infringing on an individual’s privacy rights can carry a fine of up to €20m or 4% of your company’s annual global turnover (whichever is highest)
As scary as this may sound, it is important to realize that these fines are not quite so cut and dry as you might think. Not every offending company will necessarily lose €20m! Instead, GDPR regulators will consider a number of factors, including:
- The extent of the non-compliance
- The severity of any personal data breaches
- Measures taken to be GDPR-compliant
- The degree to which ‘privacy by design’ has been respected
- The nature, gravity and duration of the infringement
In a case where you are caught out, it will be paramount for you to demonstrate exactly what you have done to become GDPR-compliant, such as providing staff training, making risk assessments or restructuring your storage system. This will allow you to avoid extreme fines, as even fully-compliant systems are not completely invulnerable to criminal activity.
You can also prepare for potential breaches by taking out a cyber insurance policy. However, this will not necessarily be an adequate safety net for major breaches: typically, insurance providers will only partly cover the cost of individual breaches (after all, nobody wants to have to fork over €20m!) You should also consider the fact that, even if insurance can cushion the financial blow of a GDPR penalty, it will not make up for your loss of reputation with customers. In other words, it will still be worth investing in compliance.
There are also additional penalties and sanctions to consider on top of the larger fines. You may also face administrative fines, reprimands, temporary or definitive bans on processing data, the suspension of data flows to 3rd-country recipients and so on.
Finally, keep in mind that disgruntled customers can quite easily contact the Data Protection Authority (DPA) if they feel that you are not respecting their privacy rights – so don’t assume that you will see compliance assessments coming!
How can studying GDPR-compliance benefit my business?
Taking all of this into account, it may seem that GDPR is more of a curse than a blessing, especially if all you currently have is a general overview of the regulations. However, becoming GDPR-compliant can also present several opportunities for your business:
A large chunk of the GDPR rules cover the protection of personal data. An enterprise must have adequate administrative and technical measures in place to make sure that customer data is not left vulnerable.
However, focusing on just one aspect of your security can be surprisingly difficult and expensive, not to mention the fact that it can easily leave the rest of your systems vulnerable. Instead, you can use GDPR as an excuse to upgrade your entire IT infrastructure, with healthier data protection and a streamlined monitoring process being two of your highest priorities.
Upgrading an IT system can be an expensive undertaking, especially for larger companies, but you should keep two things in mind: firstly, the costs of becoming GDPR-compliant are usually much lower than the fines for failing to do so, and secondly, in the event of a breach you will need to be able to demonstrate that you have taken sufficient steps to protect your customers, or the resulting penalties could be far worse.
One of the first steps in becoming GDPR-compliant should be to audit all of the customer data you currently possess. What does this mean in practice? In essence, it will require you to refine your storage system and remove any redundant, outdated or unusable data: anything which does not have value for your business.
Rather than seeing this as throwing away useful data, you should instead try to view it as spring cleaning. Not all data subjects will be equally valuable; dead leads and unengaged customers are likely taking up a great deal of space on your systems, as well as the valuable time of your employees. By removing redundant, outdated or trivial (ROT) data from your system, you could save a huge chunk of your processing and storage costs.
You will also need to keep another GDPR rule in mind: that your data will need to be globally searchable and indexed so that customers can find and view it. However, this can also be a useful tool for you, as a more streamlined system will make it easier for your staff to find and delete data when a customer wants to exercise their right to be forgotten. You do not want your data controllers to waste time trawling through outdated systems just to appease one customer, but if you don’t shape up your IT infrastructure then they will not have a choice!
In order to facilitate these changes, you will need to keep your current inventory software up to date. Some cases may also require the retirement of outdated systems and legacy software. Doing so will leave you with a more refined system, with far more streamlined storage and data maintenance capabilities.
A more granulated and profitable approach
You might be spending a lot of time worrying about the data that you will be getting rid of, but it’s also important to consider what you will have left: data on customers who want to be contacted, and who know the value of your offering. Rather than an automated and uncaring approach to hundreds or thousands of customers, why not pursue a more personal approach with the ones who really matter?
A more granular methodology for using customer data can work wonders. Employees will learn to understand and adapt to the needs, challenges and behavior of individuals, helping them to establish long-term working relationships that will ultimately be more beneficial. Your remaining leads will also be more relevant, with a higher proportion of customers clicking through to your website to see what you have to offer.
At the same time, it will also be important to change the behavior of your managers and analysts. As there will be less data to work with, managers will need to be able to make more ‘human’ judgements, considering customers as individuals and putting in the legwork to find out where their needs are not being met.
Improved company reputation
During the runup to May 2018, it seemed as though everyone was talking about GDPR. It became a trending subject, with popular publications educating the public as well as businesses on exactly what it meant. After all, cyber security and the use of customer data has featured regularly in the news for several years, with any failures often causing major PR disasters for the companies involved.
Unfortunately for most companies, the data that they have stored makes them prime targets for cyber attacks. Outdated and poorly maintained systems are particularly vulnerable, with many white hat hackers even making a living out of highlighting these failures to corporate clients.
This kind of vulnerability can also damage a company’s reputation. Corporate partners will want to know that you are a safe bet, particularly if they are trusting you with their own customer data. Customers, meanwhile, may feel actively at risk using your service, and will quickly lean towards competitors which make security a key part of their public profile.
With this in mind, why not start talking about GDPR in terms of your ‘social responsibility’? After all, it is everyone’s job to take care of customer data, right? Rather than waiting for a breach to cause a PR disaster, you could instead use GDPR as an opportunity to actively improve your reputation.
High demand for DPOs
It should go without saying that data protection officers (DPOs) have been in far greater demand since GDPR was first introduced. The regulations require that any organization which carries out certain data protection activities should appoint a DPO, who will then report directly to management.
Companies which already have DPOs are required to bring them up to speed with GDPR. This has enabled DPOs to take on far more valuable roles, advising on matters like cyber-security, data management and even public relations. There have even been cases of companies introducing data protection officers over social media to order to promote their compliance.
That being said, GDPR also requires that companies limit the number of employees who can access critical information. In other words, you would only need to upskill a small number of employees in GDPR for this purpose, rather than making DPOs out of the bulk of your staff.
Remember, having a trained and fully GDPR-compliant DPO will allow your organization to both prepare for the worst and react swiftly whenever issues occur. As they report directly to management, DPOs can provide invaluable guidance in the event of a crisis.
A boost to customer loyalty
Not only being cyber safe, but also promoting that fact as part of your marketing, can do wonders for increasing the loyalty of both new and existing customers. Many businesses have made this a part of their social media marketing strategy, allowing them to take advantage of GDPR as a subject and even react to breaches in the news by comparing themselves to non-compliant competitors.
On the other hand, customers that see you as negligent will be far more likely to take their business elsewhere. Some may even pursue legal action if they feel that their data is being misused. It is not simply a matter of watching out for the Data Protection Authority (DPA) – you will also have to worry about the customers informing them! There is also the risk of customers flagging their concerns over social media platforms, in which case a prompt response from your data protection or customer service team will be essential for saving face.
Remember, becoming GDPR-compliant is not just a matter of admin: it can also be an essential part of your brand image.
Secure your global data
While GDPR primarily affects companies based in the European Union, it is also relevant for the rest of the world. Any companies which transfer data to third parties outside the EU must provide legal and contractual agreements to protect the rights of EU citizens. You cannot make such a transfer just because a third party requests it – you must have express permission from the customers involved.
In other words, the risks associated with GDPR are highly pertinent to international corporations. You should not delay studying GDPR, even if you have never been to Europe in your life!