What you need to know ahead of the impending GDPR deadline

The General Data Protection Regulation will be enforced in May, but many businesses are still not ready for its new rules on data handling and storage

Feature image
Once GDPR comes into effect, businesses will have to clarify and explain to customers why they want to collect each piece of information in order to get consent

The General Data Protection Regulation (GDPR) was first proposed on January 25, 2012, in order to better protect the privacy of EU citizens and give them greater control over their personal data. In the time since, much has been said about the regulation: fans of the proposal have praised the way it takes back control from increasingly powerful internet firms, while critics have suggested it will create more bureaucracy and additional cost for many organisations.

Whether you are a defender or a detractor of GDPR matters little; the deadline to meet GDPR requirements is approaching fast. On May 25, GDPR will become enforceable following a two-year transition period. From that moment on, all businesses holding data on EU citizens – including those located outside the 28-member bloc – will be subject to its new rules.

Coheris is a software provider specialising in customer relationship management (CRM) and analytics, helping clients to fully exploit the potential of big data, social media and other digital tools. It not only has a range of on-premise and cloud-based services, but also a bespoke offer of GDPR products that provides support ahead of the new EU requirements.

European CEO spoke with Nathalie Rouvet Lazare, Chairman and CEO of Coheris, about the impact GDPR is set to have on businesses, and whether they will be ready for the impending deadline.

What are the prominent business considerations ahead of GDPR coming into force?
There are three main areas that organisations must consider before GDPR is implemented. First, the regulatory changes cover a broad spectrum of business processes, encompassing legal, security and IT factors. Second, companies must have the necessary expertise in order to cope with these changes. And third, business procedures must be reviewed to ensure they comply with the new rules.

Other important considerations include whether firms can identify the personal data they hold, and which members of staff are responsible for it. How data is processed and monitored will also need to be evaluated, potentially via a thorough information audit.Is GDPR just about technology? What other constraints does it impose on businesses?

GDPR will force organisations to record every piece of personal data they hold and maintain a register of all activities that contain personal data

GDPR requires technology-based monitoring, but also procedure-based management. Businesses will need new tools and will have to work differently. Users of CRM solutions, for example, will have to think about personal data relevance from the moment it is collected right up to its deletion.Everyone will have to ask themselves a series of questions: what is the nature of the data I want to collect and what is it for? How does this contribute to improving customer relationships? Does it allow me to offer a new service or new product?

Data collection must serve a clear use over a specified period of time. Moreover, businesses will have to clarify and explain to customers why they want to collect each piece of information in order to get consent.

With more businesses now able to capture, store and share personal information, will further technological growth make GDPR more of a challenge?
The digital transformation of many businesses has enabled them to collect and store more personal data than at any other point in history. Today, the flow of personal data is everywhere. Businesses can know an individual in a multitude of contexts: as a marketing target, a customer in their CRM system, or a user connected via the Internet of Things. Indeed, new technologies provide many additional opportunities to collect and handle personal data.

There has been much discussion regarding the connected car, for example, and this will bring its own challenges and obligations. Car manufacturers will need to build their vehicles with third-party data sharing rules in mind, which means being compliant with the privacy-by-design and privacy-by-default requirements of GDPR. In other words, companies will be required to have a global view of the personal data they manage.

Is the new GDPR ruling something just for IT departments to consider, or is it likely to require a cultural change across the entire business?
IT departments will play a key role in the implementation of GDPR compliance, but it will also require a cultural change. Companies will have to look at new ways of collecting and handling personal information, even though change might initially appear to be constraining.

However, there are business benefits to changing company attitudes; letting customers know about the data being held will help build deeper trust and therefore improve and increase loyalty. Explaining the purpose of collecting customer data will bring transparency and, in turn, reinforce the customer relationship.

Could GDPR push organisations to take a more data-centric approach? If so, how can companies use this to their advantage?
GDPR will force organisations to record every piece of personal data they hold and maintain a register of all activities that contain personal data. This means more procedures and documentation on data acquisition and usage, which will introduce greater complexity. The new requirements will also make data more visible, increasingly valuable and of a higher quality, forcing businesses to introduce new processes and tools to properly manage and monitor it.

GDPR will force businesses to think about data usage
and the added value it will bring

The advantage of GDPR is that it will force businesses to think about data usage and the added value it will bring. In data terms, it’s an opportunity to move from a volume-based strategy to a value-orientated one. Previously, businesses had to build a customer-centric strategy, and this was mainly a marketing challenge. Then, the issue was to build a data-driven approach, which was a global company challenge. Now, we have GDPR, which is a legal challenge that every company must embrace and apply.

Are businesses likely to be ready for the deadline?
In France, many companies are still not prepared for the May deadline and are unlikely to be fully compliant. Companies will be asked to demonstrate that they have an action plan for their journey to GDPR compliance, and failure to meet the new regulations could result in fines of up to four percent of annual global revenue, or up to €20m. However, there is still uncertainty as to when the penalty will be imposed and to what extent organisations will be inspected.

What should businesses be doing now to ensure they meet the requirements of the new regulation?

First, businesses must become more knowledgeable regarding the new GDPR requirements, and the impacts it will have within the company. They must ensure all employees are aware of the new law and the changes resulting from it.

Accountability must also be addressed. Companies need to identify a pilot data protection officer or assign someone to take responsibility for data protection compliance and oversee employees across the organisation.

What plans does Coheris have for the future?
Coheris’ solutions are regularly upgraded to address new consumer behaviours. For example, Coheris has developed a social and text mining module linked to a company’s CRM, which shortens the processing of customer requests through automated analysis and classification of incoming messages.

We will continue to develop value-added modules that enhance the Coheris CRM Suite and other applications in order to meet customer expectations and needs. Developing our analytics solution remains one of our major priorities; this means meeting business intelligence and analytics requirements, and helping companies become more data-driven. If we can successfully encourage businesses to give data the importance it deserves, then meeting the upcoming GDPR should be achievable.