The need to comply with GDPR is acknowledged and addressed by most companies. However, it still remains a hot topic in 2020, as the cost of non-compliance in 2019 has not yet been fully assessed. After announcing the rules, it's now time for the sanctions. To protect themselves from this, companies must change their approach to the customer journey and put in place progressive data collection to gain the trust of their users.
Personal data protection regulations: 2020 the year of records
Even though GDPR came into force almost two years ago now, many organizations are still struggling to comply with this legislation - despite potential fines. According to a Capgemini survey last September, less than 1 in 3 organizations were in full compliance (source: https://www.capgemini.com/fr-fr/news/rapport-sur-la-rgpd/).
Until now, the official GDPR regulators have remained relatively lenient towards companies, giving them time to comply. But audits are accelerating and, given the number of claims and thefts around data in 2019, it is likely that for some the bill will be a steep one.
Whereas in 2018 only 19 fines were imposed, in 2019 the European supervisory authorities have already sanctioned 179 offenders for a total of €143,250,090 (source: EY - 2019, the year of the first seven-figure GDPR fines). British Airways, for example, after hacking into the financial data of hundreds of thousands of customers in 2018, has been fined a record €204 million by the British data protection agency (ICO). On February 1, 2020 the Italian telecoms operator TIM had to pay €27 million for the unlawful processing of personal data in the context of promotional activities and activation of unsolicited contracts. The story is only just beginning!
Data protection is a global issue, but are businesses ready?
Another phenomenon that will have to be dealt with is the extension of international regulation around the protection of personal data. Companies that export or have subsidiaries around the world are today impacted by the various regulations that are being put in place in other countries. California (with its CCPA), Brazil, India and Canada have recently adopted their own regulations to protect citizens and make companies that process their personal data more responsible. As a result, virtually all individuals and businesses around the world will soon be covered by at least one of these laws. By 2023, the personal information of 65% of the world's population will be protected under modern privacy regulations, compared to 10% today (source: Gartner - Predicts 2020: Barriers Fall as Technology Adoption Grows).
Companies will need to learn how to juggle these different legislative environments to ensure compliance anywhere, anytime.
From big data to minimal data
Compliance with GDPR is accompanied by another challenge, which will become more pronounced in 2020: the need to adopt a minimalist approach to data and to place greater emphasis on data quality, rather than quantity. All information that is collected, whether personal or not, must be processed. If personal data is not relevant to the business, it shouldn't be kept.
This will force companies to limit the collection of data and retain only the data that has a real impact on its performance. This minimalist approach to data collection and processing will, at the same time, enable them to reduce their exposure to cyber risks and CNIL sanctions. By 2020, archived personal data will represent the greatest risk for 70% of organizations (source: Gartner: The State of Privacy and Personal Data Protection, 2019-2020 - Published April 15, 2019 - ID G00376084).
Cyber-attacks have only highlighted the lack of compliance with regulations.
However, nothing is inevitable and once these observations have been made, it's clear that the regulations in force will have a positive impact on brand image and relationships with their customers. They will help regain consumer confidence by guaranteeing a secure environment that meets their expectations in terms of respect for their personal data.
Rethinking strategy to opt for privacy by design
At any time, a company must be able to prove the validity of consent for the recovery of personal data. This means that it must constantly and precisely know where the data is stored, but also guarantee that it complies with the authorised storage period. This requires the company to have a 360-degree view of its data and to implement responsive governance. In the event of an audit, the company will have to prove its compliance within a very short time frame.
This process requires a Privacy By Design approach to the customer journey with, in particular, the implementation of progressive profiling. Rather than collecting all the information from a customer at once, the customer will be able to provide the company with only the data that is useful for processing their request at a moment in the customer's journey.
CIAM (Customer Identity Access Management) platforms, like ReachFive, make it possible to efficiently manage the collection and processing of data. From the outset, they have been designed to ensure confidentiality and compliance with GDPR and other international legislation, and meet all essential regulatory requirements concerning the respect of privacy. They are able to quickly provide proof of the validity of consents, their origin as well as the chronology of each modification made by the client. These platforms also ensure transparent use of data, as customers have access to a consent preference centre to act on their privacy.
Confidence is the new pivot value
By giving consumers back direct control and a transparent view of their personal data, CIAM platforms like ReachFive enable brands to build trust and satisfaction, reduce the risk of regulatory violations and ensure the safe use of customer identification information.
By being transparent and seamless at every step, the company gains their users' trust, putting them at ease to share their data. (The brand may also consider setting up a reward system (discount, participation in private events, etc.) that can be activated each time a customer agrees to provide their data.)
Data: less data for less risk
One of the fundamental aspects of GDPR is the concept of data minimization. Companies should not hold more data than they need to perform a specific task. It's time for companies to change their approach to first-party and zero-party data, where the source is verifiable (and performs better). IAM provides centralized control over access to employee, customer and partner information. It can be used to determine not only the duration of access, but also the length of time the information is kept. This allows for the timely and defensible deletion of user account information. ReachFive's CIAM will help to reduce this cyber security risk while meeting data minimization requirements.
Contact ReachFive to find out more about how our Customer Identity and Access Management solution can help you meet GDPR requirements and leverage your data.