Who’s Data is it anyway?
The long haul
There is a huge amount of talk just now about data privacy. In line with Elizabeth Denham’s blog in December, it is clear that the GDPR is not just a flash in the pan Y2K style events. The new shape of data privacy is here to stay and ripples from it will last long into many of our retirements.
There are a now a huge number of articles that will help you understand what steps your company has to take on this journey such as the ICO’s own website and resources. I’m not going to duplicate that guidance here.
And let’s face it, if you’ve not started yet, reading this article is the last thing you should be doing.
Seeing the carrot
I am going to reference something Elizabeth has said a number of times now that has stuck with me and I’ve found it useful when having data privacy discussions with my clients.
“But to meet the challenges [of the GDPR], we need to move from a mindset of compliance to a mindset of commitment: commitment to managing data sensitively and ethically.
Not just because it’s the law, but because it’s part of basic good business practice, like honest pricing or good customer service.
Accountability encourages an upfront investment in privacy fundamentals, but it offers a payoff down the line, not just in better legal compliance, but a competitive edge. We believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals and over time this can play more of a role in consumer choice.
That’s the carrot for getting it right. And there’s a pretty big stick too.”
Turning the handle
It’s normal for organisations to take a compliance approach to changes in regulations, of course. They are often organised in a way to achieve exactly that and only that.
The return on investment and the benefits realisation analysis of these Programmes will show no new customers or no new revenue, just the avoidance of censure and losses.
In taking a compliance approach to the GDPR, the danger is they completely miss the pretty tasty and wholesome carrot and will be left just fearing the stick.
Another major factor at play here is the fact that data privacy is the long forgotten subject outside the few companies that have been stung by massive data breaches becoming public or operating shoddy marketing activities. The Boardrooms of the corporate world have long been led to believe their organisations are currently compliant to the existing data privacy laws.
If the GDPR were a wholly new set of requirements, this would not matter so much but the Data Protection Act and current EU Directive are very much the foundations of the GDPR.
If an organisation currently does not know what personal data it processes and on what legal basis, how long it should be held for and who it shares it with and why, then the GDPR compliance programmes run the risk of building on sand.
What is more, any GDPR Programme will need to find a way of fixing these legacy problems without revealing to their customers, staff, Board and Regulators that they were not compliant with the old data privacy laws all this time.
Cold callers? Great!
We all know of companies that, as consumers, we give our custom to and in turn they process our personal data. We know very well that they have precious little awareness never mind focus on building digital trust with us. It’s clear they regard our personal data as their asset to do with how they see fit.
I don’t know about you but I’m building a hit list of companies that have shown a complete disregard towards processing my personal data with care.
They have already lost my custom, of course, or are cold callers who have bought my data elsewhere. In response, I’m sure I won’t be the only one to exercise some of my newly acquired Data Subject Rights post 26th May.
Glimmers of hope
It’s not all gloom and doom thankfully. I’m also seeing some organisations respond to this change in positive and public ways. They are announcing new portals and changes to their customer interfaces to embrace our new data subject rights.
Look out for these companies. These are the ones that will certainly be much more likely to get this data privacy expert’s custom in the future.
Privacy at the core
These early signs are hopefully but to truly get the carrot, organisations are going to have change significantly. This won’t happen overnight but the ones that successfully knit together their digital and customer strategies with the requirements of GDPR will be better placed than most.
Organisations will not get many better opportunities to demonstrate they are genuinely putting their customers first than placing their data privacy rights at it’s core.
As the dust settles
Come June this year, GDPR programmes will issue their final reports, count up any remaining beans and disband, their work done.
I being cynical here I know. The GDPR Recovery Programme start up date will depend on a few factors: how well the organisation has dealt with the flood of Data Subject Access Requests, the cost of compensation claims being paid out and/or the decline in customer numbers. Either those or just one fine imposed from a data breach.
To what extent the Recovery Programme is repeated will depend on at what point someone shows the Board the words from Elizabeth Denham above and they finally see the carrot.