GDPR is a new way of serving your employees and customers.
With the advent of GDPR; numerous data breaches and misuse involving companies such as Yahoo, Facebook, Target, Equifax, and Under Armour; and Mark Zuckerberg’s recent testimony before Congress, there is increasing pressure for U.S. companies to rethink their position on the widespread collection and use of individuals’ data. Regulations within the U.S. vary from state to state, but privacy law in the U.S. is far from Europe’s in terms of scope and intent. That may be changing as recent discussions in Congress have begun to explore how (and if) to regulate companies like Facebook.
U.S. companies that must comply with GDPR may not find it reasonable to segment their customer base into groups with more protection (EU citizens) and groups with less protection (U.S.). The result could lead to a public relations nightmare as consumers learn that their privacy is not as valuable as the privacy of others.
The recent constellation of events mentioned above should cause companies to rethink issues which are directly addressed by GDPR, regardless of whether they must comply with this regulation or not. The end result of this compliance should increase trust by consumers as well as a perception of better and more thoughtful customer service.
Many rights of a data subject (an individual) under GDPR would appeal to U.S. consumers:
- A data subject has the right to access personal data being held by a “controller” (the company which has collected that data). Many users of Facebook and Google have been stunned by the amount and type of data that is being kept about them now that users can download that data.
- A data subject has the right to rectification. In other words, the data subject has the right to correct inaccurate data.
- A data subject has the right to erasure. Otherwise known as the “right to be forgotten”. This means that a data subject can insist that his/her data be deleted.
- A data subject has the right to data portability. This gives the data subject the “right to receive the personal data concerning him or her . . . in a structured, commonly used and machine-readable format”, and transfer that data to another controller.
- A data subject also has the right to insist that decisions about the subject involve a human. Decisions may not be based solely on automated processing, including profiling.
Some of these rights fly in the face of how data is currently collected and managed, but they point to better data management in the future. Issues that legacy organizations must address include:
- Identifying their data (which probably exists in multiple systems and formats).
- Determining what data is “personal”.
- Determining what data is unnecessary (and getting rid of it).
- Understanding and documenting business processes (which comes with a side benefit of highlighting opportunities for process improvement).
- Implementing a data protection approach.
- Establishing a Data Protection Officer (DPO) role.
GDPR compliance is an opportunity to approach data privacy in a new way, especially as ongoing compliance will require constant understanding of data and processes within a business. RG’s approach to data privacy is through our proprietary business analysis and requirements methodology called LINKProcess™, which is a framework for both complying with GDPR and for remaining compliant on an ongoing basis.