Why tell customers about their personal data? Just because GDPR says so?

Share this post:

Transparency is one of the key parts of the European Union’s General Data Protection Regulation (GDPR) with which companies must comply by May 25, 2018. Personally I find this very surprising. I’m not talking about the fact that under this new legislation, individuals gain the right to know what personal data an organization has collected about them, and what it’s used for. What amazes me is that we do in fact need regulation for this at all. Shouldn’t transparency be there by default? And why would I mind my data being used, if it’s clear that this is being done for my benefit and with due diligence?

Let’s take a look at a few examples. Modern cars collect all kinds of data about where we drive, the way we drive and how fast we drive. Alarming? Maybe, but if I know that the car company is only using this information to optimize the maintenance of my car and doesn’t share it with others, I don’t have an issue. The same goes for the temperature control system in my house. I think it’s great that my power utility wants to help me cut back on my monthly energy bill, but I wouldn’t be amused if my data was hacked with the intention of clearing out my house while I’m on vacation.

What we learn from all this, is that taking good care of personal data basically implies three things. First, transparency is essential: make clear what data you’re holding as an organization and why you’re doing it. Second, you need to appropriately guard this information to make your customers, clients, patients or citizens feel secure. And last but not least: you must interact with them on an individual level and tell them what you are doing with their data, why this is beneficial for them and how you’re looking after it. This way, they will happily grant their consent for using it as a marketing tool, implicitly or explicitly. In essence this is what GDPR requires companies to do from 2018 onward.

So what should you focus on in your own efforts to prepare for GDPR over the coming year?

Read the whitepaper for considerations and recommendations to help you prepare for the upcoming GDPR data privacy standards.

In my opinion there are five areas of attention you need to assess:

1. Governance – Determine how you can embed GDPR into processes, norms and values. What measures need to be taken, are they effective and how can you improve on them?
2. People and communication – Train your employees in living your norms and values. They need to know the risks and impact of using and protecting private data.
3. Processes – Take a look at your processes: how will GDPR influence them, what’s the impact and how to implement the required changes?
4. Data – Assess what data you have and what you’re using it for, and consider how to interact with individual customers, clients, patients or citizens. This is crucial in order to offer the transparency and gain the trust that I was referring to earlier. By doing this you will also prepare for GDPR from a business point of view. Setting up a Customer Interaction Center (CIC) can help you do this.
5. Security – Secure your data in every way possible. Implementing firewalls, using encryption, monitoring data usage, etc. can prevent leakage and will also help to build trust.

Read the whitepaper for considerations and recommendations to help you prepare for the upcoming GDPR data privacy standards.

Rob Langhorst, European GDPR Offering Leader, IBM The Netherlands

Note: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsibility for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations.  The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability.  IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.