The impact of the European Union’s General Data Protection Regulation (GDPR) has been felt worldwide. Its stated goal of providing greater control over personal data upends years of marketing orthodoxy. The “right to be forgotten,” which allows consumers to demand their personal data be deleted alone presents a significant technical challenge for all organizations.
Originally approved on April 27, 2016, the regulation comes into force on May 25, 2018 – just under two months away. GDPR is designed to harmonize data protection laws across Europe, replacing a previous swath of laws as well as local legislation that created a more patchwork system. The most important part of the new rule to understand is that it doesn’t matter where a company is located. If a brand sells to European consumers, they must comply with GDPR. This means US multinationals as well as smaller brands that have a foothold in the European market.
The GDPR is fundamentally about three things: policies, communicating with data owners, and control of data. The rights afforded in the new rules include data privacy, permissions for data use and processing, and data retention. These are innovative rules for the digital age, and more securely place power in the hands of consumers to decide how or even if their personal data is used. By the time the regulation comes into force, brands will have had more than two years to prepare. Are they ready?
The answer is no, they’re not. According to recent Gartner research, more than 50 percent of the companies affected by GDPR will not be in full compliance with its requirements by the end of 2018. This is a problem because the penalties for not complying with the regulation can range from €10 million to €20 million, or anywhere from two to four percent of worldwide annual turnover of the previous financial year – whichever number is higher.
Those are significant administrative penalties for noncompliance, and don’t even begin to consider the risk of consumers suing for noncompliance. At its core, GDPR coming into force means organizations need to work even harder to receive consent for using PII and allow access for consumers to correct errors in their data.
This compliance is expensive. A recent survey conducted by PwC found that 77 percent of companies planning to comply with GDPR will spend more than $1 million or more on compliance costs. This isn’t surprising; substantial technical changes are needed to comply with GDPR rules around consent collection, data rectification, and data integration. These changes include solutions that unify customer data across technical silos as well as provide access to customers (data subjects in the GDPR) so they can decide where and how their data is used. With the reality that most data management solutions don’t, or can’t, accomplish this goal, organizations need to find new technologies to fulfill these needs.
The challenges of GDPR compliance led us at RedPoint Global to partner with PossibleNOW, the leading provider of enterprise consent and preference management solutions. The joint solution blends the RedPoint Customer Data Platform™ with MyPreferences® from PossibleNOW. MyPreferences empowers brands with the ability to collect and manage a granular level of consent, operationalize that consent, and maintain a historical archive of consent approval or revocation. RedPoint’s customer data platform, with its master data management (MDM) functionality, unifies customer profile data from multiple systems across the enterprise into a central location.
MyPreferences and the RedPoint Customer Data Platform combined mean consumers (or “data subjects”) can easily access their personal data and decide how or if it’s used. PossibleNOW’s solution provides a consumer-accessible front-end through its preference center, and RedPoint’s underlying data management system notifies internal systems when consumers make changes, and fulfill requests to download their data. The joint solution also empowers organizations to audit their internal systems to ensure compliance, which is critical given the potential for steep penalties under the new law.
The joint solution from PossibleNOW and RedPoint Global addresses key requirements as listed in the General Data Protection Regulation such as: the right to obtain consent (Article 6 (1)(a)); the right to be forgotten (Article 17); the right to data portability (Article 20); and the right of access by data subject (Article 15).
The combined RedPoint Global and PossibleNOW solution is designed to streamline GDPR compliance for European brands and multinationals who sell into Europe. With GDPR fast approaching, anyone impacted needs to quickly put in place the correct technical infrastructure and governance process. Only by doing this can organizations be confident that they have the right capabilities to thrive in the new normal that GDPR creates in Europe and across the globe. More importantly, they will be well positioned to succeed as additional regions and markets follow the data privacy trend. PossibleNOW and RedPoint will be there to help.