Managing the General Data Protection Regulation

Petri Räsänen

The General Data Protection Regulation: what companies need to know and do. 

The General Data Protection Regulation introduced by the EU comes into effect May 2018. Regulators are now using a large ruler and ready to administer strong sanctions to get companies and organizations to act in accordance with their regulations. How should you prepare for the GDPR? 

The goal of this regulation is to secure data protection as a fundamental right for all citizens of the EU.

Regulations and laws have increased and are becoming unified throughout the EU member states. Regulation effects every entity that has a temporary or permanent registry of people for marketing or customer management purposes ; or collects information about their customers; or analyzes people who visit their website. In practice, all companies and organizations.

The challenge is this: people are concerned about the lack of protection of their personal data. There are a lot of rumours in the media about how personal data is being used. As most people are aware, Facebook and Google know everything about us. Yet, at the same time, people wish to have unique personalized services that can only be created by analyzing and collecting personal data about individuals. 

To succeed in following the GDPR regulations there are four things that must be done. If even one of these is not fulfilled you will run into trouble, sooner or later.

1. Ensure that you act in accordance with the law and regulations and that you document everything.

The first step is to make sure that those in your company responsible for data protection are trained in GDPR and, when needed, be prepared to employ external help from experts.

In practice the work always starts by asking the following questions:

  • What kind of information are you handling now? How widely are you collecting information? Who is collecting it?
  • What is the true purpose of collecting this data? What are your goals for using it?

These questions will help you understand what kind of practices and behavior the law requires in different situations in which data is handled. Such situations include the following:

  • Your customers and users are always informed of the fact that you are collecting data.
  • The responsibilities of those maintaining the data recorded increases.
  • There must be a document outlining how you plan to use the data.
  • Where the data is stored and how you access it must be documented.
  • The customer has the right to rescind any agreements about collecting the data, for example, agreement that you can use it for marketing purposes. Moreover it has to be easy for them to do so.
  • The customer has the right to review their data, correct it, remove it, and limit its usage. Similarly the customer has the right to not be the subject of any automated decision making.
  • Whenever you handle information through which you can identify an individual person you need to be discernibly careful. In practice this can extend to such basic levels as tracking IP addresses for people visiting your website if additional processing of that information can help you identify individual persons. 
  • The profiling of people can mean that you have to consider how this profiling can effect the person, or decisions related to the person, and may require that the person is informed that they are being profiled.
  • For infractions against the regulations there may be penalties, for example fines, aimed at both the company and the person in charge of managing the information.

2. Shape the experience people have with data protection

By far, the biggest reason why there are problems and conflicts regarding data protection and personal information is when the customer has received or perceives to have received bad service. Therefore the most important area for applying the data protection regulation is planning for the user experience.

This may come as a surprise to many who think that data protection is an administrative activity wherein you only fulfil the requirements of the law. 

This is no longer solely the business of lawyers but, instead, a service that requires creative planning and design. A successful implementation counts on the possibility of the identification and the analysis of information so that the customers are satisfied with their experiences and trust the service provider, i.e. you. 

Information provided to people must be shaped into a form that is easily understood and benefits the user.

The customer marketing union ASML’s leader and lawyer Jari Perko instructs you “To read your data protection text when you are rushed and tired. How does it feel? Do you understand how it works?

Perko gives simple guidance for shaping the user experience. When the customer has to interact with a company using things relating to data protection (be it either on the internet, in a mobile application, in a service portal, or face to face customer service) the customer has to feel that:

  • I am being appreciated.
  • Things are handled in a quick and efficient manner.
  • I am being addressed in clear human language.

This is a challenge given all the complicated, lawyerly, terminology filled legal texts that reserve all rights to themselves that companies normally have in their internet facing services.

3. Becoming more efficient with technical solutions

Technological solutions can help you abide with data protection regulations by helping you ensure that you have fulfilled your responsibilities to inform your users in your web and mobile solutions. In practice:

  • How you handle information has to be documented.
  • You have to prove that you inform your users of how the information is used and protected.
  • You have to be able to prove that you have requested and received permission from your users.
  • Your customers have to be able to retract their permission to collect information, for example, the permission to use information for marketing purposes. Retracting permission has to be as easy as giving it.
  • You have to be able to track who uses the personally identifiable information and when. The different permissions that different users have must be documented. 
  • With regard to sensitive information you have to be especially vigilant. This can include, for example, health related information.
  • You have to be able to respond to requests from your customers and users for information about, or included in, what you collect. 

The smartest thing is to go through a crisis exercise in which you test your ability to react to situations where your data security fails. Who provides information and what kind? How do you go through logs? What do you tell your customers? And how do you restore a failed system that has been the subject of a data breech?

4. Distribute the information to your entire organization and partners

The new regulation comes into effect on 25th of May, 2018. The central content of the regulation is known, but there are still details being finalized. In practice there will be a transition period for the new regulation to take effect. 

For this reason some companies and organizations believe that there is no rush in preparing for this. However, if you disobey any part of the regulation you can potentially receive large fines, even tens of millions of euros, depending on the turnover of your organization. But the larger threat is loosing your customers trust or the situation then being talked about in the media. This is a PR-catastrophe ready and waiting to happen if a company argues or tries to explain that they haven’t yet adapted to the law after the initial adaptation period. That is not a situation anyone wants to be in in the current social media and data security climate. 

Smart companies will guarantee that their entire organization understands how the new GDPR-regulation changes their practices for data protection. Everyone must have a basic understanding of what sort of things you need to inform people and your customers of, what you need to document, and how you can use this information. 

Companies also have to verify the awareness of their partners because, according to the new law, companies are responsible for making sure that their partners follow the regulations when they handle information. 

If you react early you can turn this situation into an opportunity. Shape or phrase your data protection user experience into a service-minded experience that inspires trust, and in that way get ahead of your competitors.