What’s so special about May 25th? Beyond it being National Wine Day in the U.S. and the anniversary of the release of the first Star Wars movie, it's the one-year mark until the EU General Data Protection Regulation (GDPR) goes into effect. Set your countdown clocks! Any business (globally, not just the EU) that processes the personal data of EU residents will fall under the jurisdiction of the GDPR. It’s time to get into compliance or face fines of up to €20 million or 4% of annual revenue, whichever is higher.
Just what does that consequence mean? For organizations that fail to adhere to the GDPR rules that include privacy by design, timely breach notification, informed consent, data portability, and several other data protection requirements, it can have a serious business impact. NCC Group recently calculated what a recent data breach fine would be if the GDPR penalties were in effect now and found that it would balloon from £880,500 to £69 million. That’s a tough conversation with the boss or the board. IT should be helping to drive revenue and support new digital initiatives, not serving as a cost center for fines and legal fees!
With the internet of things introducing millions of new data-collecting and data-sharing devices into your digital ecosystem and more customers connecting to your business via digital channels than ever before, it’s time for a significant adjustment in the way organizations handle data. We caught up with independent GDPR analyst Chiara Rustici for her perspective from the front lines of GDPR compliance. She quite literally wrote the book on GDPR. As someone who regularly engages with organizations looking to address the legal challenges of the GDPR, Chiara had some interesting insight to share.
“What can be seen on the ground, at least here in the EU, is heightened awareness from CISOs, hit hard by the GDPR's 72-hour requirement to report a data breach to the privacy commissioners, and from in-house counsels, but no best practice." Rustici said. "To date, few businesses have accomplished more than a basic data mapping, if that. But the solutions to data portability, data erasure, data access are still fragmented.”
But is it all bad? Not really. It’s just a paradigm shift; and anytime you’re entering into new territory, it’s going to be uncomfortable.
“There is room for industry champions to really put their arms around the problem and understand it for what it really is: a new shift from personal data collected just-in-case, to data collected just-in-time for a specific mission, within a defined timeframe and with a continued control by the individual over their data. The GDPR has turned personal data from a commodity to a bespoke asset. There is no business as usual in a GDPR world.”
Preparation for GDPR is a time for organizations to put control over personal data back in the hands of its rightful owner, the customer or citizen. Done correctly, this means organizations have an opportunity to build digital trust with their users by prioritizing privacy and consent. If customers trust you with their data, they'll allow you to use it to personalize recommendations for them, understand their habits and daily routines, and access other personal information that is crucial for improving customer experience and creating new revenue opportunities. How do you get your customer to trust you with their data? By giving them control over who their personal data can be shared with, for how long, over what devices, and only doing so when being provided explicit, clear consent. Really, it’s the circle of trust that will enable this new generation of data sharing.
Organization builds trust by giving customer control over personal data -- customer gives organization right to use data because organization is trusted. Organization builds compelling experience using only the customer data they are allowed to access, keeping customer loyal -- customer continues to allow access to personal data. Organization continues to protect personal data. Everyone wins in this symbiotic relationship of data sharing and protection.
“To succeed in an era of savvy consumers, innovative regulators, and data-pumping devices, you need to develop a strong vision for ‘data protection’ that welcomes data transparency and consumer data control. Without all three elements, your goals for building digital trust will fall short -- and won’t be as protective of compliance as you hope.”
– Eve Maler, VP Innovation and Emerging Technology, ForgeRock
There’s a lot you can do in the next year to prepare for the GDPR. This might include mapping how your customer data flows across your organization or simply reconsidering the role of digital identity in GDPR compliance. Digital identity enables you to get a handle on obtaining and providing user consent, data portability, reporting, and the right to be forgotten. With a single view of your customer, you can understand where your customer’s data is at all times and treat it appropriately, as the customer has consented to. The GDPR is a chance to deliver a higher standard of transparency and control that is a competitive differentiator and that builds trusted customer relationships. And as in all relationships, if your customers don’t trust you, they’ll find someone else they can trust.
“For identity, GDPR represents challenges to how global organizations manage identities and presents organizations with the opportunity to provide an improved user experience by improving consumer trust.”
– Damon McDougald, North American Digital Identity Lead, Accenture
At ForgeRock, we’re helping organizations with challenges of the GDPR. The ForgeRock Identity Platform offers innovative privacy and consent solutions. It’s the first unified identity platform to support the User-Managed Access (UMA) standard, that enables customers to control who (and what) can access their personal data, for how long, and under what circumstances. This is a new way to give your end-users the power to grant, monitor, approve, and revoke digital consent from a single centralized console. You can also leverage the flexibility of the ForgeRock Identity Platform to architect transparent, step-by-step registration processes that outline exactly how personal identity data is used and who will have access to it. There are many ways to approach the privacy puzzle. To learn more about how you can build context, control, choice, and trust into your products and services, check out this white paper, Power to the People: GDPR, Trust, and Data Privacy
Don’t just meet the minimum for data protection compliance. Use the arrival of GDPR as the impetus for improving your privacy initiatives. It's time to secure customer data sharing, at massive scale, with an identity platform that can manage not only customers, but IoT devices as well.
Visit our GDPR page to more.