As of May 2018, a new regulation based on the protection of personal data will take effect. This will have a big impact on marketing and customer relationship projects. Beyond that, it is a more global concern related to the brand image of the company. What are the consequences? How to be accompanied? We will explain you!
As of May 25th, 2018, businesses will have to comply with a new European regulation: the GDPR (General Data Protection Regulation). The general idea of the GDPR is to permit people having the control on their personal data and to help them to better enforce their rights. With the GDPR, individuals will have control over what is done with their data, allowing individuals to access all personal-related data owned by a company, correct data, delete under certain conditions, or, request a transfer of their data to another organization.
The goal of the GDPR is twofold.
First of all, the GDPR got a security system to counter potential drifts linked to personal data exploitation, prohibiting wild and unfair collection or treatment practices, throughout the European Union, in a harmonized way. The notion of personal data must be understood very widely since it concerns any data that directly or indirectly identifies an individual (name, credit card number, customer number, license plate, pseudonyms, badges at work, IP address, geolocation or financial information, etc.).
According to Alexandre Tessonneau, lawyer IT & Data privacy: “Data is the oil of the 21st century. The current legal framework, based on the Computer Technology and Freedoms law of 1978, is relatively mild with companies in non-compliance. Moreover, this legal framework is quite fragmented within the EU, because although it is based on a single legal instrument (Directive 95/46 / EC), it is transposed into the national law of each member state of the EU. This leads to disparities in its application and interpretation, which hampers companies with a European dimension. With the GDPR, the European legislator has the means to finally respect the regulations regarding personal data.”
Next, this regulation aims to promote the circulation of data within the European Union. According to Alexandre Tessonneau, “The second ambition of the GDPR is to improve people’s confidence in data-collecting organizations, which will enable the digital economy to develop in the entire European internal market”. This will be facilitated by the harmonization of regulation between the various Member States, whose current fragmentation constitutes obstacles to the flow of data within the EU. Outside the EU, the GDPR introduces dedicated tools and procedures for exporting and processing personal data more simply while ensuring an adequate level of protection.
All companies and organizations that process personal data are affected.
Does this new regulation concern everyone? “When a private or public body established in Europe processes personal data, yes.” says Alexandre Tessonneau. As we have seen, the meaning of the term “personal data” is very broad. The same goes for “processing” which refers to the collection, storage, analysis or transfer of personal data. The regulation is therefore valid for both a SME and a multinational. Note that this is also true for a company located outside the EU from the moment it interacts with the data of European citizens.
Our data privacy lawyer states: “We must not forget either the GDPR subcontractors who interact with personal data on behalf of their corporate customers, such as SaaS solution providers or customer service support centers for example. Today, they are relatively unaffected by the regulations, with the GDPR it will no longer be the case. They may be held liable directly by the regulator and by the people whose data they process on behalf of their clients. B2B contracts for outsourced services that require the processing of personal data must include clauses guaranteeing an adequate level of protection. Subcontractors with regards to the GDPR will be required to assist their clients to fulfill some of their obligations under the Regulation.”
“Don’t be afraid to give your customers control over their data, your brand image could well benefit from it!”
New obligations come with the GDPR.
Within organizations, the regulation introduces a logic of internalization of the compliance with regards to the protection of personal data. Today, compliance is reflected in particular by the preliminary formalities to be carried out with the National Commission of Computing and Freedoms. Tomorrow, these formalities will disappear, in favor of a general principle of “accountability”, materialized by new obligations, although some are applicable above certain thresholds. Thus, as of May 2018, companies with more than 250 employees will have the obligation to keep an internal register listing the entire process of personal data (identify, describe, trace and ensure compliance). Subcontractors will also have to keep a register of treatment categories they perform on behalf of their clients.
For public bodies or for companies whose activity (1) induces the processing of sensitive data with a large volume, or (2) requires regular and systematic large-scale monitoring of people, a Data Protection Officer (DPO) should also be named. This person will be referent on all matters related to personal data.
GDPR offenders will be subject to massive fines: depending on the violation, they may reach 10/20 million euros or 2/4% of the global annual turnover, the highest amount withheld.
The GDPR impacts marketing and customer relationship projects, requiring expert support.
Within companies, the Human Resources and Marketing divisions will mainly be impacted. To assist organizations in their compliance with the GDPR by May 2018, Extens Consulting has decided to partner with lawyers, experts in Data privacy.
For Emmanuel Richard, Associate Director of Extens Consulting: “By combining our knowledge of our clients’ business sectors, our expertise in customer experience and project management, to the legal expertise of our partner lawyers, achieving GDPR compliance will go much smoother and more efficient”.
Something that Kärcher has understood by seeking advice from Extens Consulting on the GDPR matter.
In what consists this collaboration?
- Performing of an audit of the current situation associated with an action plan proposal: “Thanks to the audit, we can map the different treatments of personal data and carry out their legal analysis.” explains Emmanuel Richard, who continues “This will help identify compliance gaps in relation to regulations and associated risks.”.
- Support for the implementation of an action plan to resolve the gaps: “We assist the client in the creation and maintenance of the internal register of treatments, the review of their general conditions, privacy policies, cookies, information and collection methods of consent of individuals, supplier contracts and the legal framework for non-EU data transfers, etc.” explains Alexandre Tessonneau. “But the story doesn’t end there! If necessary, we can assist with recruiting a DPO. We can also assist with conducting impact studies prior to the launch of a product, for example a new connected object, having consequences on the privacy of individuals.” explains Emmanuel Richard.
“The GDPR should not only be seen as something restrictive. Matching with conformities of this regulation, creates a wonderful opportunity for corporations to show that they care about their clients and the treatment of their personal data” explains the head of the consulting firm.
In his latest book, Le Seigneur des Robots (‘The Lord of Robots’), Arnaud de Lacoste, CEO of Acticall-Sitel Group, goes also in this direction: “Trust will remain more than ever the keystone of the customer experience. […] But to maintain trust, it will be essential to ensure strict protection of personal data. […] What will make the difference between the big companies in digital and artificial intelligence, it is the respect of principles such as transparency and secrecy.”**
“Don’t be afraid to give your customers control over their data, but see it as an opportunity to reinforce your brand image” concludes Emmanuel Richard.
*accountability: means the obligation for companies to implement internal mechanisms and procedures to demonstrate compliance with data protection rules. (source)
** : extract of Arnaud de Lacoste’s book, Le Seigneur des Robots, p69-70, published by Débats Publics, 2017.
Discover also our White Paper: “Forget Effort, Choose Ease: take a bold approach to customer and employee experience”