As we wake up to the dawn of the fourth industrial revolution – think internet of things, machine learning and quantum computing – it’s hard to comprehend the sheer scale and speed at which customer data is collated, analyzed and processed.

But as data generation spirals, so too does the emergence of guidelines aimed at regulating the handling of sensitive customer information. Rightly so, almost four-fifths of U.S. internet users concerned about their privacy, and an even greater number fearing data breaches. With so many rules and regulations – arguably culminating in the forthcoming General Data Protection Regulation (GDPR) – becoming compliant is just half the battle to surviving in today’s data-driven marketplace.

So, how can companies ensure they’re leveraging the data revolution to optimize opportunities, while overcoming the challenges that lie ahead?

The need for robust data protection measures has been brewing for some time, and the absence of a federal data protection law across the U.S. has inevitably led to the development of several state-level initiatives. There are currently 21 proposed privacy bills across 11 states, causing a headache for national and international businesses as they navigate through a minefield of mandates to ensure they are demonstrating acceptable standards across the board.

Early-bird California appears to be quick to the table, having enacted a security breach notification law back in 2002, as well as having a proposed ballot measure in the wings, namely, the California Consumer Privacy Act of 2018.

But, amid the hype, there is one overarching piece of legislation that cannot be ignored, as it will affect any state handling the data of EU citizens. As of May this year, the GDPR, designed primarily to synchronize privacy laws across Europe and provide greater control and protection for consumers, will also play a role in setting a benchmark for U.S. data privacy policies.

In becoming GDPR-compliant, companies can be confident their data handling processes are fit for purpose, while also being prepared for any federal law which may be in the offing.

Embarking on a journey to compliance

Given the complexity of data protection legislation – the GDPR comprises no less than 99 articles – it can be hard to know where to start. So let’s take a look at the key requirements for businesses to ensure their data is ready:

Consider the three ‘rights’ of the consumer

The right to access (i.e. information on whether, how and for what purpose their personal details are being processed); the right to be forgotten (also known as data erasure, whereby companies have 72 hours to delete personal data once requested to do so); and the right to data portability (meaning details of data records should be supplied in a ‘commonly used, machine readable format’).

Establish explicit consent

If there’s one takeaway from the new regulation, it’s that customers must physically opt in and grant permission for a company to collect, store and process their data. This is important for record-keeping, as businesses will be responsible for supplying sufficient evidence to their local Data Protection Agency, if required, of the steps they have taken to obtain such consent.

Communicate core objectives

It’s time to update policies. It’s not enough to just send a memo announcing a new policy without further explanation or scope for discussion. For both employees and external vendors, take the time to explain why the changes are being made, and invite feedback on how new policies can be implemented. This will motivate staff and business partners to be vigilant when handling customer data, and ultimately, prevent data security breaches, which may result in hefty fines for the business. Meanwhile, informing customers of enhancements to the company’s data protection policy, via the website or other marketing channels, will demonstrate due diligence, building trust and loyalty in the process.

Become experts in data handling

If the prospect of overhauling an existing privacy policy is daunting, consider building a team of in-house data protection experts to ensure data feeds are being monitored at all times. Larger companies will also need to appoint a Data Protection Officer, which can be an existing staff member.

Don’t rewrite the rulebook

Under the GDPR, implementation of ‘privacy by design’ protocols and procedures applies only to future operations. If a company already has a robust system in place, which works well and is compliant, it doesn’t necessarily need an overhaul.

Steer away from data silos

The renewed focus on data and customer service in 2018 means that companies will need quick, easy access to their data at all times, preferably in the same place. This is especially important for larger companies, who, without the help of a centralized data warehouse, will struggle to connect datastreams from online and offline touchpoints along the path to purchase, and will therefore be unable to build a complete profile of each individual consumer.

With the help of machine learning technology, brands will be able to optimize marketing campaigns on the fly, experiment with programmatic ad placements, and deliver tailored messages across multiple channels.

It’s easy to think of the GDPR as just another piece of legislation creating a mountain of red tape and confusion. But, in reality, it may just help restore order as data continues to snowball. So, as we enter the era of data-fueled creativity and innovation, don’t get caught up in the commotion. Keep cool, calm, and collected – prioritize customer privacy – and make the most of new opportunities on the horizon.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access