The Quick or the Complicated Way to Become GDPR Compliant
With GDPR there will be an effective stop to harvest customer data without a defined purpose for the registered person. Are you ready for it?
It has been a general practice in a lot of companies, that customer based data has been harvested big time. Tell us who you are, tell us what you like and then we will let you in our exclusive club with great offers. Those are data of great value and has been used for new sales, additional sales cross-selling, upselling e.g. But it is also data that primarily has been of value to the company and not for the person who registered. You can as a company always argue that it has been the way for the registered person to receive customized offers, but to be honest that argument quickly becomes a little flimsy.
Instead of the harvesting being done for the company to win, the GDPR is turning this and take the registered person’s side: how is the single citizen placed when a company collects data about the preferences for something? What interest does the citizen have in this? And if the harvesting of data can be backed up meaningful and objective – how can the company describe and document that they take good care of the registered person’s data? This is the new reality. And EU has sent a clear signal that they are serious. Companies – intentional or unintentionally – who does not fulfill the demands for the GDPR can risk a huge fine. To be exact up to 4% of the global revenue or 20 mio. euros – whatever is the highest number. Ouch!
So how are you going to handle it, if you are storing customer data that doesn´t succeed the new rules in GDPR?
When it comes to personal data, it is first and foremost important to map and classify the data that you collect and handle. Are your data personally identifiable? If data is personally identifiable they can be used to identify a person. Consider this as a puzzle: if you can collect enough pieces to give a whole meaning then the data are personally identifiable.
You need consent from the register if you as a company wants to collect and keep personal identifiable data. It varies from country to country how old you have to be to legally make consent that a company can use the personal identifiable data. Even though the consent is there it can be illegal because the register is underage. That is one of the challenges related to consent. The other is that GDPR demands that the register is being informed specifically what you are going to use the personal data for. A generic consent to use personal data is no longer a valid reason.
This will give you two opportunities
You can choose the quick way and just delete all customer data and start all over again collecting data and consent. That will make you GDPR compliant in no time. But this will also give the business a massive and nearly overwhelming task to re-build the customer database once again when you also need to sustain the daily operations.
You can also choose the complicated way to be compliant. This involves getting documented how you collected the data and the validity of the collected data and consent. This can be a very comprehensive task depending on how many people that you have data for and how well your company already collected consent.
If you choose the difficult way, then AlfaPeople can help you to make this a little easier. Please contact us.