Tiina Tamsar Winters, Business Analyst at Nortal, December 5, 2017
The EU’s new regulation on data protection will have a serious impact on different business processes in most companies. To think it won’t affect yours is short sighted. First ones in line to reorganize their processes will be marketing and customer service.
When the EU’s General Data Protection Regulation (GDPR) takes full effect in less than six months, most organizations will be faced with the need to change their everyday business processes. Today, everything a company does generates data; and all the data need to be protected. How to make sure your processes are in good shape to comply with GDPR?
In recent years, marketing has understood the potential of data and put that potential to good use. Analyzing data has given valuable insights into people’s habits and interests, thereby giving companies the opportunity to use highly targeted marketing to reach out to customers.
Data has become the most valuable commodity in the world. The trouble is the customers’ personal data actually belongs to them, not to the companies. Processing personal data for marketing and sales requires consent from the customer. That consent needs to be specific, informed, freely given, and unambiguous as to what kind of processing the consent covers. It also has to be given by clear affirmative action.
Will #GDPR affect your business processes? You bet!
Hence, we must review current practices of processing data for marketing purposes. Consent collected up until now will most likely be in violation of the new regulation, as most are ambiguous and not specific. In addition, companies must be able to prove when and how the consent was given in the case of a dispute or an audit.
As of May 2018, companies need new processes regarding how the personal information of customers is collected, stored and processed. The data collected must be adequate, relevant, and necessary for providing the service. In some cases, collecting the data is required by law.
It raises questions about how organizations collect the data; and what kinds of data they collect. Does a hotel really need to know my home address to provide me a bed for the night? Are forms filled out on paper or electronically, and how is the data handled afterwards? Will that filled out form stay on the counter for the next customer to see? Will it finally end up in a trash can for the cleaning crew to see and later in a street bin accessible to everyone? Where will the data be recorded and how will it be used? Those and other questions need to be addressed.
These are not the only issues related to customer service processes. Many organizations record calls to their customer call centers. These recordings may contain personal data. Meaning, there’s a clear need for you to think through how the recordings are stored and for how long, and who has access to them later. You also need to have a clear understanding that your customers have to give their consent before their data can be recorded.
Interactions with call centers are just one aspect of customer service. Increasingly, customers contact organizations by sending an email. In that case, questions are often forwarded to other specialists to solve. If email or chats are used for this, customer data will be stored in email servers, inboxes, sent mail boxes, chat history and so on.
If you use Excel to analyze customer data or compile customer lists for processing, those files may also contain personal data. Frequently, they sit in someone’s laptop and you don’t even know they’re there. This raises serious questions on whether these files — and the information they contain — are protected. Frequently these practices are not part of the official process, yet they take place every day.
To tackle this issue, Nortal has developed a tool, DeepScan, for data governance, which can find all the personal information from databases, file folders, and other sources, including Excel and other MS Office documents, PDF files, pictures, and so on. This offers you the opportunity to find out where you really have personal data in the company, and not just where you think you have it, based on your agreed upon business processes. Read more about DeepScan here.
These are just some business processes that companies have and that need to change before GDPR takes full force. I strongly recommend you start thinking about it as soon as possible – you have less than six months left.