GDPR: It's time to take our heads out of the sand & become data-smart

Dan Hartveld, 4th April 2017

Despite heavy fines for non-compliance, only half of UK businesses are aware of the new data regulations due to come into force next year.

This article originally appeared on Techworld.

The EU General Data Protection Regulation (GDPR), with sweeping new requirements for the control and management of personal data as well as punishing fines for non-compliance, will come into force in 2018. It will mark a significant change in the way data is handled – and there are two points which should be at the forefront of any strategy for its management:

  • Coming out of the EU will make no difference – if we want to continue to trade with Europe, we will need to follow their lead on data security
  • Finding a way to connect legacy data systems and having the ability to extract meaningful intelligence at individual customer level is essential – it’s the only way to ensure compliance with the new regulations

A survey at the beginning of this year, carried out by data security experts LogRhythm, Gigamon and ForeScout Technologies, discovered that only 47 percent of UK businesses were aware of the new requirements, and many of those are adopting a ‘wait and see’ position until a strategy for the UK’s withdrawal from EU membership is decided.

However, it’s clear that retailers will have to prepare to be bound by the regulations if they have any business at all with Europe, which means:

  • They will have an obligation to erase data when customers ask to exercise their ‘right to be forgotten’ and withdraw their consent to storing or using their personal data.
  • They will have to get explicit consent to collect any personal data.
  • Customers must give their data freely, not because they are threatened with not being able to access services, for example. Any request for data must be made in clear and plain language and asked for separately from any other terms, conditions or information.
  • Retailers must allow customers to see their own data and be able to give them a copy of any personal data in a commonly readable format so they can exercise their right to data portability - ie transfer personal data from one product or service provider to another.
  • UK retailers will have to notify the Information Commissioner’s Office (ICO) within 72 hours about serious data breaches and any customers who might have had their rights affected. Failure to comply risks a fine of up to 4 percent of global turnover.

Single customer view – now it’s a must-have

Key to meeting the majority of these requirements is the ability to extract information from every system to obtain a meaningful set of data which can be made available to the customer in an easily understandable format on request.

This would appear to be the major sticking point for businesses – the idea of integrating numerous systems, some of which may have been around for years, and getting them to deliver information which can be understood outside the IT department can be more than a little daunting.

The only way to do this without investing in a very costly bolt-on which might take many months to set up and get working is to use a middle layer which can start extracting data from any and all existing systems almost immediately.

The right platform will enable even the most antiquated systems to ‘talk’ to each other and gather together all the relevant information on a truly granular level – right down to individual customers.  Any business system - legacy, third party or specifically developed – can be separated into sections so that its data sits in its own space.

Thanks to application orchestration, it’s relatively straightforward to join these sections together in a way which connects systems and touchpoints into a single, unified flow of information which can be used and understood by anyone (customer, sales staff, head office) on demand, on any device.

Retailers who sign up to this method of data integration should find that the GDPR holds no fears for them – data for all of their customers, no matter where it comes from or which department’s system it is held on, should be readily accessible to whoever needs sight of it, from the ICO to individual shoppers.

Ultimately, once retailers take their heads out of the sand and face up to the inevitable change of practice brought about by GDPR, they may well see that the outlook isn’t as bad as they thought. One of the benefits of this kind of data manipulation is that it effectively forces retailers’ hands when it comes to getting a single customer view.

They can’t help but become more data-smart and gain a more rounded, cross-channel picture of their customers by complying with GDPR – there’s no avoiding it, and one of the more useful side effects will be a clearer view of the customer and their behaviour.