It’s easy to fall into thinking of the General Data Protection Regulations (GDPR) as a purely technical issue. In reality, it potentially touches every area of your business – and that’s a golden opportunity to change things for the better.
It’s essential for every business to understand the practical requirements of the GDPR, particularly as its implementation date is now just a few months away. But it’s equally important to understand the principles that underpin it – in particular, the distinction between privacy and security.
Both privacy and security can relate to the same data, but at different stages of its life. In simple terms, privacy is about what information you ask for, and what you do with it – that is, what data to collect and store. Security, meanwhile, is about keeping that data safe – making sure that, once you have it, it doesn’t fall into the wrong hands, and that it isn’t disclosed against the wishes of whoever provided it.
This distinction is important because it affects whose job it is to think about GDPR. If you see complying with the regulations as a security issue, then it’s the job of your IT team or provider to make sure your systems are up to the task of keeping information safe. From this perspective, GDPR is ‘just’ a technical issue – complicated and challenging, for sure, but at least it has a clear boundary, so you know what’s in and what’s out.
Privacy, on the other hand, is a far bigger issue. Depending on how your business works, many different people or departments could be gathering data from all sorts of sources. That data could take many different forms, and it could be stored in many different places. It could include everything from a phone number scribbled on a sticky note to a comprehensive CRM system containing thousands of customer records. Whenever a customer tells you information that you hang on to and use, privacy comes into play.
One of the reasons GDPR is so radical is that it gives customers back their data. In the past, once people gave you information, it effectively became ‘yours’ to use as you saw fit. Under the GDPR, people just lend you their data so you can do a particular job. You don’t own it, you’re just looking after it for a while. For some businesses, this means a big change in thinking.
None of this is bad for business, or for customer relations. Holding and using out-of-date information has never been good practice. For example, sending direct marketing to people who no longer have any interest in it is irritating for them and wasteful for you. The GDPR simply puts into law what many firms already regard as good practice.
The GDPR sets out seven principles for the handling of data. Of these, six relate to privacy; they include collecting data for a specific purpose, processing it fairly and transparently, keeping it up to date and demonstrating compliance. Only one – keeping data secure to maintain integrity and confidentiality – relates to security.
The ongoing discussion of the GDPR suggests that many firms have yet to fully comply with the principles. But they’re really not that extreme – in fact, they’re pretty much what you would hope that any company or organisation would do with your data. In reality, the GDPR is a golden opportunity to take a look at your approach to data from your customers’ perspective. Take a broad view of all your departments or functions, from marketing and customer service to IT, and ask yourself how you would like your own data to be handled. That might point the way forward to completely new ways of managing information that are more efficient for you, more satisfying for your customers and ultimately better for your business.