6 key requirements for GDPR compliance

GDPR insights

Organisations who hold personal data have had over five years to consider how they will be impacted by the General Data Protection Regulation (GDPR).

With the deadline approaching it’s fast becoming a reality and so understandably there’s still lots for organisations to do. Many will feel uncertainty around what’s needed to prepare and the extent of the impact.

In early 2016 we teamed up with DataIQ to explore consumer attitudes towards sharing personal information and just how prepared business feel they are in the lead up to GDPR. We’re pleased to be able to chart this progress with the recent launch of our third instalment of GDPR Data Preparation research.

GDPR as a growing priority

This latest research shows real progress over the past seven months as the GDPR has become more of a priority for many organisations. Back in February 2017, half of those surveyed were “very aware” of the GDPR, whereas now unsurprisingly, this has jumped up to over three quarters.

Interestingly however, 3.1% now feel that they are “not at all” prepared which has increased from 1.9% in early 2017. So as time progresses it seems that organisations are becoming more aware of what’s required and able to benchmark how prepared they really are as a result.

With just over four months until GDPR enforcement, I asked our Data Strategy Manager, Paul Malyon, to pick his top five insights from this latest research. Read on to find out what Paul thinks that means for organisations right now and benchmark how you measure up.

1) The biggest challenge: how to interpret GDPR

Of those surveyed, 42.9% rank agreeing how to interpret the GDPR as their number one challenge. This comes as no great surprise when guidance on key aspects is yet to be issued. This means that businesses are having to translate their legal obligations into a workable business practice that will suit their organisation without these guidelines from the ICO.

Other top challenges include:

  • Identifying required technology or fixes
  • Finding staff with the right skills
  • Agreeing new contracts with all third parties who are relied on for data and data services

Paul’s view:

The GDPR is a major piece of legislation, however until it is challenged in a court of law, there will always be some areas of uncertainty. Every organisation will need to decide on their appetite for risk (and document it under the Accountability Principle) so that any decisions to invest (or not) can be explained to a regulator should the need arise. Keeping abreast of developments through the ICO, Article 29 Working Party, the DMA and other industry groups is also a good step. The GDPR requires that organisations appoint a DPO in some circumstances. Having this, or someone to lead the required activities, will help to navigate the challenges in a structured way. Experian also has experts on hand and a GDPR solution that can support organisations to identify key priority areas and ways of approaching them.

2) GDPR preparation: organisations are focusing on third parties

Front of mind for organisations as GDPR approaches is identifying third parties that personal data is shared with. When it comes to what they’re undertaking as part of their preparations, this was the most chosen option (48.3%), closely followed by undertaking company-wide audits chosen (43.3%).

Interestingly we also see however, 7.3% who have not identified third-party data sources or sharers, while 16.3% have not documented their personal data sources.

Paul’s view:

Identifying third parties that personal data is shared with is a vital step and how you approach this will depend on the most relevant legal processing ground.

Where Consent is the legal processing ground then sharing data requires separate Consent under GDPR from first-party usage. A challenge for organisations in this scenario is knowing if these sources themselves are compliant. Greater transparency is a major requirement of the GDPR and if Consent is being used then it’s no longer going to be enough to notify an individual that you may share their data with “selected third parties”. In a marketing scenario, Consent must be specific and unambiguous which means that it should require opt-in permission. In all cases, naming the third parties is going to be required.

Organisations can also share data under Legitimate Interests if the appropriate balancing test has been undertaken and the consumer has been notified that the processing is taking place. With transparency being a key requirement under GDPR, as a bare minimum, organisations will also have to inform consumers of the types of organisations and sectors that take their data.

It’s also worth considering how you explain why you will share data. Generally, the most relevant legal processing grounds for marketers are, as I mention above, Consent, Legitimate Interests or where there’s a legal or contractual requirement “performance of a contract”.  There are however six different legal processing grounds and it’s wise to consult the ICO to ensure that you opt for the most appropriate model for your business.

3) The impact: Many organisations expect the GDPR to impact their business model

Across the board we see that businesses are bracing themselves for the impact of the GDPR. Even among companies who are very or somewhat prepared, GDPR is expected to have an impact on their business model. 32.9% of all organisations expect this effect to be high, with 46.4% expecting some impact. Interestingly, of those who expect the impact to be high, half come from the group who are already somewhat prepared.

Paul’s view:

The GDPR is going to lead to changes for many if not all organisations. Marketing database managers will need to consider the potential impacts on their marketing pool with factors such as historic consent data quality playing a part, support teams are likely to see more data subject access requests (SARs) and data analysts are likely to have more processes to follow to check that they have permission to use data in their work. If managed correctly, these changes can have minimal impact and could in fact create a range of opportunities in areas such as customer relationship building and marketing efficiency. However, all of this will require preparation in the form of Process, Technology and People (Training).

4) Poor data quality: Over two-thirds of organisations believe major functions will suffer

We saw that between two-thirds and three-quarters of firms name five major functions as suffering from some or significant impact from poor data quality. These are:

  • Sales (63.5%)
  • Insight and analytics (66.7%)
  • CRM and customer management (71.4%)
  • Data management (72.1%)
  • Marketing (75.2%)

Paul’s view:

Ensuring accountability to the GDPR and maintaining data accuracy are two key requirements of the new legislation. Beyond this, having high-quality data is a requirement for any organisation in order to make sound judgements on everything from where to open a new store to the risks posed by fraud. Read our blog to find out more about why data quality is an essential foundation for GDPR compliance.

With so many suffering from poor data quality, there has never been a more critical time to invest in solving the issue. Whether it be via a Data Quality Firewall ensuring only high-quality data enters your data lake, a suppression service to flag goneaways or deceased records in your marketing pool, a Single Customer View across your data silos to help you manage SARs, or a data readiness assessment to identify key areas of inaccuracy for your GDPR programme; there are a number of ways that Experian can help.

5) Keeping data accurate: More than half of organisations don’t use major methods

The research specifically calls out what organisations are doing to keep their data accurate, clean and up-to-date. 60% do not currently use any of the major methods to do this. This is even though 41.1% do have point-of-use data cleansing. There is a significant adoption curve for all forms of data quality and data preparation services of between one quarter and one third of organisations.

Paul’s view:

It’s interesting to consider what has prevented these organisations from facing up to the issue of data quality before now?

As a data quality leader you may have had the vision and belief in data quality for some time now however have found it a challenge to secure funding for a major data quality tool. If this is you, we have a guide on creating a data quality business case using a lean pilot approach. The guide highlights how you can deliver a virtually zero cost data quality pilot that drives tangible benefits to your business and demonstrates the value of further investment. If there’s another reason, we’d like to hear from you – tell us why!

To dive deeper into the findings, you can download the full report here. We are also running several GDPR Data Readiness events in the coming months. These are great forums to share your journey with peers and get insight from our expert hosts. With the deadline around the corner they’re proving very popular, so check out our events schedule and register your place to attend.

Please note that while we can support businesses with their preparations for the GDPR, we cannot offer legal counsel or compliance advice.