How will GDPR affect your data strategy going forward?
Data Strategy has become an important part of business strategy within e-commerce and beyond. But, even if you already have an effective data strategy in place, it’s time to overhaul how you currently collect, store, and use data. Incoming EU-wide legislation will affect the data use of every business operating in the bloc. The General Data Protection Regulation (GDPR) will come into effect from 25 May 2018. It aims to strengthen and unify personal data protection across all member states of the EU to improve the rights of the individual. With so many businesses now holding personal information on their customers and prospects, it’s likely that GDPR will affect your data strategy in some way.
Failing to comply with GDPR could lead to hefty sanctions. While a simple written warning will be given for first and non-intentional non-compliance, financial fines can reach up to €20 million or up to 4% of annual worldwide turnover.
It’s also important to note that non-compliance could affect your reputation with customers.
The impact on your legacy data
GDPR is retrospective too, that means you need to assess the data you currently hold to ensure it’s in compliance. So you need to think really hard about your data retention policy. Should you be holding all the data you have on customers who last purchased over 5 years ago, for example? It will actually depend on what you sell and how often your category is purchased. There's no point in keeping data you don't need and you should certainly think about removing unnecessary fields from current datasets, especially those that contain personal data.
Your data strategy on collection
When you collect data, you will now need to be it clear on how you’ll be using and storing the data to different types of 'data subjects' (e.g. existing customers, prospective customers, employees, former employees, suppliers etc.) who you come into contact with. For example, how you process data for prospects should be different from how you process data for paying customers. Where you can't prove a fair and balanced legitimate interest as a legal basis for processing, you'll need the data subject's explicit permission to use data for direct marketing and other purposes. If you currently operate a data gathering model where customers actively have to untick a pre-ticked opt-in box, this needs to change too.
Protecting your data
You now have a responsibility to ensure that the data you hold is protected. Where security breaches occur, you have to act within a specific timeframe, a maximum of 72 hours, to alert the supervisory authority and, in some cases, the customers that have been affected. Having the support of from fully compliant, helpful, security-conscious, data processing partners can help here. They should be able to help form your data strategy.
Using your data
You are still able to use the data that you collect, especially if it's needed to run your business; to understand business performance and report accurately. There are ways to anonymise personal data that ensure you can still understand performance and trends at an aggregated level, without the need for knowing a data subject's email address, postal address or phone number. You obviously need those personal details if you're to market to that data subject subsequently. Or to append additional, contextual data to a data subjects profile to understand more about them and others like them. You just have to remember that, the benefits of processing such data to your organisation shouldn't outweigh those of the customer. Otherwise you can't justifiably use legitimate interest as a legal basis for processing.
Ability to remove data
Your customers now have the right to request that their personal data is fully removed from your databases. If you don’t already allow this, you’ll need to update your current processes and give your customers a transparent way to contact you in order to make their request. Again, knowing how to carry out this procedure with your Data Processing partner(s) will be key. So if you're not sure how to fulfil right to erasure requests, or indeed other rights requests, then talk to your Data Processing partners for guidance on this. What's certain is that you operate a number of systems and you're almost certainly going to need to know what to carry out in what order, so that personal data is removed or anonymised appropriately.