On Friday 25th May 2018, the way in which British businesses approach data and privacy will need to change fundamentally. That is the date when the European Union’s General Data Protection Regulation (GDPR) comes into effect, bringing with it major changes in the way that personal and customer data can be handled.
This is one issue which really is not affected by the uncertainties of Brexit. The GDPR applies to any business that operates in the European Union or sells to EU citizens. Further, the UK government is planning for full continuity with respect to the GDPR and its impact on the single digital market. So – regardless of the status of the United Kingdom – the majority of British companies must make sure they are prepared for the change. Unfortunately, a recent survey found that 86% of organisations are concerned that a lack of preparedness could lead to the new regulation having a severe impact on their business.
The primary objective of the GDPR is to improve individuals’ choice and control when it comes to data privacy. In essence, the regulation is intended to strengthen the fundamental privacy rights of citizens and put consumers back in control of their personal data.
In part, the regulation achieves this objective by making consent a key factor in interactions with organisations. Consent goes far beyond basic considerations of protection of data, breach notifications, and the like. Unless one of the other five legal bases for data processing can be cited, organisations must gather consent from individuals to process data – and must make consent as easy to withdraw as it was to give. In practical terms, this means it had better be a convenient and pleasant experience.
It’s all about trust
Beyond the technical specifics of the regulation, the GDPR is a wake-up call for businesses who have for too long thought of data protection and privacy purely as a compliance issue, a ‘tick box’ exercise that is of little wider significance.
Instead, organisations should use implementation of the GDPR as an opportunity to change the way they think about consent in order to build, and maintain, trusted relationships with customers.
The movement towards digital as the default channel for most customer interactions puts pressure on personal data to flow farther and faster. However, consumers are increasingly sensitive and savvy about their personal data – and increasingly quick to take action if they feel they are being treated unfairly or exploited.
So, what’s the solution? Businesses now have an opportunity to adopt a positive new approach to privacy and consent, one that takes a broader view of the individual-business relationship based on a balanced assessment of risk management and organisational goals.
Often “user consent” is seen as optional, and where data processing can, for example, be justified under a legal basis of “legitimate business interest” it may still be, but to succeed in building trusted digital relationships, we must be bold enough to consider changing that approach. Simply put, the time has come to ‘lean in’ to consent.
Think of personal data as a joint asset
Often businesses – or at least their marketing departments – become quite proprietary about the personal data they collect from consumers. However, in the GDPR era, that’s simply not a useful mindset.
Thinking of users’ personal data as something in which you both – business and customer – have a stake will help you to make the shift to this new era. Put yourself in your customers’ place: If this were your data, would you be happy with its treatment?
This high-water-mark approach is not just good for business; it will also help ensure compliance. Keep your eye out for new GDPR consent guidance documents, which are coming out rapidly at the moment.
By Eve Maler, VP, Emerging Technology, ForgeRock
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.