GDPR is a tough regulation. Achieving and maintaining a target maturity state on May 25, 2018 will require a collaborative investment of time and effort from all functions within an organisation. With its many daunting requirements and challenging fine structure, GDPR is one of the top board agenda items of every impacted organisation today. Most companies have already established their compliance programmes to come out on the right side of this regulatory regime.
Appreciating the sheer amount of change the GDPR entails, most companies are adopting a risk-based approach to compliance and prioritising areas that will be compliant on day one of a post-GDPR era. The prioritisation criteria a company chooses is a sum total of many factors, such as existing privacy maturity and readiness, risk appetite, and the nature of business.
A careful look beyond the extensive set of requirements captured in the 99 articles and 173 recitals will reveal that the rights and freedoms of customers and staff are at the heart of the Regulation. As companies define their target maturity state and compliance roadmap, there is a tremendous opportunity for putting forth their brand as one that customers can trust. Come May 2018, the real beneficiaries will be companies that put customer experience at the forefront of their delivery plan and approach, or in other words, focus on data processing activities that are likely to cause most detriment to customers.
GDPR offers many ways companies can enhance customer experience on their path to compliance. Requirements such as fair processing notices and consents are indeed the flag bearers of that idea. The core of customer centricity can be summarised into three facets:
(1) Being transparent and fair
(2) Empowering customers
(3) Being responsible
Being Transparent and Fair
Transparency and fairness are foundational pillars of the concept of privacy. Every privacy regulation, including GDPR, has these embedded in its set of requirements.
- As early as the first point of data collection, a company will tell its customers upfront in an easy-to-understand privacy notice without any legal jargon and no fine print:
- What data it collects and how
- How it intends to use data
- Where it intends to store data
- Who it intends to share data with
- When it intends to dispose data
- Customers can make informed decisions on whether they want to provide their data based on what they can expect to happen with their data
- Customers can indicate their agreement to provide data by providing valid consent. “Valid” under GDPR means informed, specific, unambiguous, freely given, and in some cases, explicit.
- Informed – Ensuring they read and understood the privacy notice.
- Specific – Provides data for one purpose but not another
- Unambiguous – A clear indication that they have consented, such as through an affirmative action.
- Freely given – Without any fear of adverse consequences including refusal of service. This is more applicable in case of employee consent.
- Explicit – An explicit statement which leaves no room for any confusion or denial, such as by ticking a specific consent box.
- Where personal data relates to more vulnerable customers, such as minors who may not be capable of providing valid consent, the company will seek parental consent.
- Where sensitive data, also known as “special categories of data” of data under GDPR, is involved, the company will specify this in the privacy notice and reassure customers of its adequate and enhanced protection.
- The company will limit data processing to the intended purpose and period disclosed and agreed to by the customer.
Being transparent and fair is not a one-and-done exercise; it is rooted in a company’s customer engagement practices. Customers should be allowed to revisit their inputs any time. This brings to light another key facet, customer empowerment.
- A company will allow customers to be in the mix at all times.
- Customers can change their consent preferences at any time, whether changing its specificity or withdrawing consent altogether.
- Companies will allow customers to request such changes easily and diligently honour their request.
- Companies will offer adequate granular choice and control to customers when exercising their consent preferences.
- Companies will enable customers to be in control of their data and the way it is processed. Specifically, companies will allow customers to: Request a company to update their data such as for a change of address
- Request a company to give them details for all data it holds and processes on them
- Request a company to erase their data (or forget them, temporarily or permanently) if they are unhappy with how any of their data is held, other conditions notwithstanding
- Object to or restrict specific types of data processing, such as for direct marketing
- Request for human intervention in an otherwise automated processing (automated “decision making”, to be accurate)
- Request for their data to be ported either to them or to a competitor in structured and reusable form, preferably via a self- service portal, thus avoiding potential lock-in effects
Companies will have in place a robust and customer-friendly request workflow mechanism and leverage it for timely and efficient fulfilment of such customer requests, providing regular status updates and an escalation path when required
Customer empowerment is incomplete without the company providing them privacy and security-friendly default settings in all its products and services, such as secure data transmission, no pre-ticked checkboxes, and other methods
The third, perhaps most overlooked, facet is for the company to realise that customers have entrusted it with their personal data. This means the company is expected to be fair, transparent, and act responsibly, especially in confrontational circumstances. Under GDPR, a company will not only take utmost precaution to ensure its data processing is accurate and secure as per the intended purpose agreed with customers, but also be prepared to:
- Promptly notify customers in case a data breach that may cause them damage or distress and advise how they can reduce the risk and impact
- Provide clear instructions and mechanisms for prompt and fair handling of complaints, as well as share contact details for its data protection officer
- Provide written responses in cases where a company’s legitimate interests outweigh customers’ rights and those rights cannot be honoured
- Analyse and address any envisaged risks and impact to customers prior to undertaking a new data processing operation via DPIAs
- Only engage with suppliers and third parties that can provide at least the same level of data protection and assurance
- Train staff to handle or process customer data in the intended way
- Create awareness and promote a culture that puts data privacy and security at the forefront
Many companies are now getting serious about their preparations for GDPR. There is indeed an upswing in GDPR adoption as 25 May approaches. It is not surprising that even as Information Commissioners Office (ICO), the UK’s data protection authority, recently posted on Twitter that, “…one of the most significant days for your new 2018 diary will be 25 May - the day when GDPR comes into effect...”. Most companies are looking to undertake a risk-based prioritisation approach in the run-up to the deadline, as it is well acknowledged that the amount of change is high and there is a need to focus on some areas more than the others. What to focus on is a matter of choice, with many factors that will drive this. One thing seems certain - GDPR was designed to change the way companies interact with customers. The real beneficiaries will be companies who put customers in the forefront on their implementation plans.
From initial onboarding to end of association, a customer journey is a multi-step endeavour. The insurance industry provides for a good example in that an individual starts as a lead, turns into a prospect, a quote is issued and accepted, and then at this point the individual becomes a policy holder. If the individual files a claim during the course of policy they become claimant, and so on. In each role, the individual’s personal data is processed in myriads of ways - sending marketing emails and newsletters, issuing automated quotes, anti-fraud checks, health data processing, profiling and so on. Customer experience starts at the very first step. If the company embeds the three facets described above of fairness and transparency, empowerment, and responsibility in its values, there will be a greater chance of a lead turning into a prospect, prospect into a policyholder and policyholder renewing a contract, which ultimately is the core business objective.