According to the CNIL, the GDPR has helped individuals become aware of the risks involved in the use of their personal data. The French supervisory authority recorded 3,767 complaints in May 2018, compared to 2,294 during the same period in 2017.
Although around 50% of companies have taken steps towards compliance with the GDPR, none can claim to have reached 100% compliance, mainly for reasons linked to inadequate technology and hard-to-find resources. Some companies have been called out by the CNIL for not following the rules of the GDPR. However, solutions do exist that can make it easier for them to speed up the process.
GDPR: No 100% Compliance Six Months Later
The European regulation on the protection of personal data took effect last May, requiring companies to implement a whole series of measures related to consent, the right to rectification and data portability, security, and governance.
Surprisingly, those closest to full compliance aren't necessarily tech companies. Instead, they are companies that already have economic models built around multiple compliance regulations (quality, taxation, etc.), and are used to managing these kinds of requirements.
Meeting certain GDPR requirements presents a serious challenge for companies. This is particularly true for everything related to consent and the length of time data is retained. Most BtoB software, installed long before the new regulation came into effect, doesn't take these personal data protection standards into account. This means that it needs to be part of the compliance process. Yet for a bank managing 300 applications, the cost of compliance is estimated at around €10,000 per app, and that only covers the question of retention period. It's an unmanageable situation, both at the organizational level and financially.
In the same vein, let's look at the example of software that processes both billing and customer service management, a common combination. Again, compliance with the data retention rules requires two separate types of processing: 3 to five years for CRM data and 10 years for billing data. All that in the same tool! It's easy to understand why solving these problems is so complicated.
That's why, to date, not a single company has been able to fully comply with all rules in all its applications, not even those companies that have made the most progress in terms of the GDPR.
Multiple Challenges Remain
The true goal isn't to reach full compliance in the short term, or even to take on a regulatory challenge. The goal is to give companies an opportunity to build a real relationship of trust with their consumers, improve personalization of the customer experience, and strengthen business performance.
To get there, the first step is to set logical priorities. Identify the fundamental points to work on that will limit risk, both for users and the company's business activities.
Among these priorities, it would be wise to include data security, which comes with additional challenges like agility and cost. The goal is not only to manage the complexities of internal data security, but to better predict risk. Companies that still let users share accounts or log in with generic email addresses are forgetting that the value of the personal data they collect is now much greater than that of their financial data.
Another high-priority subject is data governance optimization. In fact, how these changes are conducted represents between 60% and 70% of the challenge. Companies need to start considering compliance as soon as a new product is designed. This requires the research, marketing, judicial and commercial teams, as well as any future partners or sub-contractors, to work together. Poor data governance puts the company at risk of receiving multiple complaints, drawing the attention of the CNIL.
Lastly, to orchestrate the move to compliance, companies need to recruit or hire the services of a DPO (Data Protection Officer). This rare, and thus expensive, skill is nonetheless key to handling audits and action plans related to GDPR compliance. It's a resource that allows companies to arbitrate, which will progressively help them to comply with the law and ensure that the implemented rules are upheld over time.
Using CIAM Solutions to Accelerate Compliance
To resolve certain difficulties related to the technical demands of the GDPR, companies may choose to deploy specialized tools. Unfortunately, truly effective tools are rare and often expensive.
However, companies can consider alternatives like using CIAM (Customer Identity and Access Management) solutions to facilitate compliance. CIAM solutions make it possible to centralize consent data and manage shared profile data in one global system to be used on a case by case basis. Information that was initially scattered, stored in several systems within different departments, can be collected, centralized and organized by customer profile. This allows companies to gather complete, reliable, confidential data that requires secure storage. With this approach, they can keep track of all client data in compliance with the GDPR, and can also archive the data (very useful in case of a CNIL audit). In this way, companies using CIAM solutions benefit from a centralized, reliable overview of their customer data.
A CIAM solution is like a customer identity safe, and provides improved personal data governance. It's a system companies can rely on, because industry applications will know which customer data to use in their communication, marketing and advertising campaigns. CIAM solutions also become valuable tools for DPOs, assisting them in taking on and fulfilling their role.
Although to date the CNIL has not issued any sanctions for non-compliance, several companies have received a public warning. This is a rare move for the supervisory authority, which has historically kept a low profile. By shining a light on the companies that are most reckless with personal data, the CNIL probably hopes to motivate the rest to accelerate their compliance. CIAM solutions may be the best route to take to avoid becoming a target!