GDPR, the European Union (EU) legislation addressing data security, privacy and use protections, is right around the corner and consumers are starting to pay attention. A recent SAS poll of U.K. citizens found that almost half plan to exercise their rights at some point after the new legislation takes effect in May of 2018. Unfortunately, many companies may not be ready to answer the call.
Gartner is warning that up to 50% of affected companies will not be in full compliance by the end of 2018 despite the hefty fines and negative customer trust implications attendant with potential shortfalls. This means that consumers need to understand not only what protections they can (and should) exercise, but also which companies are complying with the selected safeguards. Not all compliance shortfalls mean the consumer should leave immediately, and not all protections merit an automatic exercise. To this end, there are five critical questions that consumers should be asking, both their companies and themselves, as they do their GDPR homework. One important note here, U.S. companies are not immune to these questions because the GDPR mandates apply to any company storing or processing information for EU citizens.
The 5 questions will be asking are as follows:
Data Protection—Can you keep my information safe and in the (increasingly likely) event of a security breach—what are your policies for notification, mitigation and remediation? This is perhaps the most important question all consumers should be asking, and they should expect full compliance from the outset. GDPR provides rigorous mandates in this area. Data security measures must be designed into the IT architecture and accountability assigned to a Data Protection Officer. Authorities must be notified of security breaches within 72 hours of discovery. And companies must notify affected individuals in a timely way. Notifications to both authorities and individuals must include an analysis of the likely negative consequences as well as details on what the company proposes to do in mitigation. The recent high-profile security breaches at Equifax and Uber shout out the importance of this mandate. Both breaches went un-reported for significant periods of time (Uber for a year, Equifax for approximately six months), and the initial mitigation actions that Equifax provided to consumers were fraught with issues. Unsatisfactory answers to this all-important question should prompt consumers to take their business elsewhere.
Data Access, Accuracy and Remediation—What personal data do you have about me, how accurate is it and will you correct inaccuracies? The SAS poll highlighted the importance of data accuracy to consumers. 64% welcomed “the right to access” (e.g., obtain a copy of personal data held about them), and 59% welcomed “the right to rectification” (e.g., correct if personal data is inaccurate or incomplete). To be fair, many companies don’t need the stick provided by GDPR to realize the importance of correcting customer data. Loyalty programs, surveys, verifications by service reps or online chat facilities, and rewards for validating personal details are a few methods by which companies do this today. The difference with GDPR is that consumers can ask for copies of all data held and can demand correction of inaccuracies across all copies. Companies with the best intentions may have difficulty locating and integrating disparate copies of customer information dispersed throughout siloed applications. While consumers can and should ask the questions identified here, before taking drastic measures, they should ask themselves if the company is making a good faith effort to comply. If so, it would be prudent to allow the company time to work through the integration process.
Consent and Relevant Data Collection—What data collections and uses am I consenting to, is the way you are obtaining consent clear and unambiguous and do I have the ability to withhold consent for specific data collection and/or uses? The standards for obtaining consumer consent for the collection and use of personal information are much more rigorous under GDPR than they have been in the past. Automatic opt-ins (e.g., by continuing to look at a website you automatically agree to use of cookies) will no longer suffice. Each specific use will have to be clearly spelled out, and the consumer will have the ability to say no. Also, data collected should be necessary and relevant. As an example, applicable to most of us, smartphone search engines can track and store each and every search, website, advertisement and video viewed, as well capturing continuous location data, all of which is used for various purposes. While we typically have the ability to turn these data collections off, the off-switch is usually buried four to five screens deep in an account settings screen, one many of us are unaware of. Under GDPR the collection of this information and its potential uses will need to be clearly identified and opt-in capabilities provided - where we can actually see them. While we don’t advocate automatic opt-out to all collection and use, we do believe that consumers should be alert to what they are agreeing to and should take action if companies fail to be clear on this point.
Profiling and Analysis—What types of profiling and analysis are you doing with my data and have decisions that negatively impact me been made through automated analysis? GDPR gives individuals the right to weigh-in on how personal data is used. In the SAS poll, 56% welcomed “the right to object” (e.g., to using data for marketing and profiling). Consumers also have the right to ask for a human to intervene in automated decisioning routines where they feel the decision negatively impacts them. The profiling aspect of this is where consumers might want to think carefully before opting out of many analyses. Today’s consumers demand excellent customer experiences that include seamless and consistent experience across all channels and customer touchpoints without the need to constantly reiterate needs or personal information. Equally important are communications and offers tailored to meet personal needs in real time – eliminating product offers or contacts not germane to the immediate situation. Companies rely heavily on this type of profiling and analysis to provide these excellent and tailored experiences and most do so in an attempt to build a long-lasting trusted relationship with their customers; one where two-way exchange of information is encouraged in order to benefit both the customer and the company. Before exercising the right to object to most profiling, consumers should ask themselves if they are willing to forego the personalized relationships developed through customer experience initiatives.
Removal—Please stop using my personal information and remove it from all databases. Not a question really—this is more of a demand. While the SAS poll showed that 62% welcomed “the right to erasure” (e.g., erase personal data from certain systems), and between 21% and 33%planned to ask for that removal from various companies immediately, we advocate thoughtful consideration here. In the extreme cases where a company provides unsatisfactory answers to the data protection or consent questions, removal is probably warranted. Otherwise, consumers may want to acknowledge that most companies welcome the trust and improved customer relationship that can come from the transparency provided by GDPR. Constructive feedback about where companies are falling short is a good short-term course of action while companies get their “GDPR legs” under them.