Everyone has read and commented on the news of Amazon buying Whole Foods, a purchase that allows Amazon to better connect the digital and brick-and-mortar worlds. The deal will improve the costs for the customer due to Amazon's amazing purchasing power and has the potential to make the shopping experience personalized. At the same time, do I really want Amazon to know when I buy milk at my nearest Whole Foods? Amazon, can you forget me?
Consumers are clamoring for approaches to prevent Google, Amazon, and Apple from intrusively knowing everything about them. In this regard, Europeans are ahead of the game.
After four years of preparation and debate, the EU Parliament in April last year approved the General Data Protection Regulation (GDPR). Designed to harmonize data privacy laws across Europe to protect and empower all EU citizens’ data privacy, GDPR is reshaping the way organizations across the region approach data privacy. It allows customers to have a say, by way of consent, in how their personal information may be collected, used or shared.
Personal data is any information related to a natural person or “Data Subject” that can be used to directly or indirectly identify that person. It can be anything from a name, a photo, an email address, bank details, social network posts, medical information, or a computer IP address.
GDPR empowers EU citizens with numerous tools to control how their interactions with organizations are distributed. Just as they can use “consent” to selectively tell an organization how their data can be used, they can exercise their “right to be forgotten” (RTBF), “right to restrict processing,” or “right to object” to tell the organization when they should be left alone. This is driving organizations to scramble to change the way they engage with stakeholders and store their information.
Implementing GDPR is an onerous task for most organizations.
Integrated Channel Assessment and Consent Process
Organizations have to assess across all their interfaces, when and where they are asking for personal information and more importantly how they are storing it. Many organizations are in the preliminary state of assessment and have not implemented rules to ask consent through the engagement process.
People interact across multiple channels - Web, Mobile, contact centers. All channel interaction needs to be appropriately mapped and specific questions on consent should be asked during the interaction. Organizations also need to implement mechanisms to facilitate withdrawal of consent, which must now be as easy for individuals as it is for them to give consent in the first place.
Robust Stakeholder Data Management: From systems of record to systems of engagement
Most organizations store personal information in multiple systems of records. While, it is easy to delete an entry/access within a specific record, GDPR requires the ability to remove specific attributes of personal information across all systems. Organizations without a master data management strategy will struggle to retain and delete records selectively across systems of record.
GDPR is all about making sure that through every engagement activity we are getting the right permission to store and access personal data to provide better and contextual engagement. Designing systems of engagement will help organizations address GDPR requirements more simply than by working with multiple systems of record.
Permission and Provisioning
As users provide consent to store/collect their personal information, they provide permission for organizations to use that information to deliver more contextual engagements. One needs to put forth robust permission and provisioning infrastructure to ensure that the data/information is used appropriately and not used in ways that permission was not granted.
The burden of proof falls to the organization on how well they have leveraged these permissions and how they have provisioned access to the right stakeholders to leverage the information.
Ability to be forgotten
Most systems have archival and backup mechanisms. Organizations should have a robust set of procedures for storing and processing backups of personal information. One needs to really look at backup and archival mechanisms to figure out what is the right way to remove all information when the user requests to be forgotten, unless there are legitimate grounds for overriding such requests.
The US had created a similar program under the previous administration called Consumer Privacy Bill of Rights Act (CPBORA) in 2015, but there are several modifications/repeals to that act currently.
So, my request for Amazon to forget me may be easy, but if I am a European then I am supported by GDPR as opposed to in the US where it is still left to interpretation. Irrespective of citizenship, global organizations need to design privacy-friendly measures and will have to put substantive resources and effort to implement them.
Interested in seeing more digital technology in action? Read the first blog in this series, titled “Digital in our daily lives: NJ Transit”, which illustrates how the application of design thinking in the technology has improved the lives of millions of daily commuters.