The General Data Protection Regulation (GDPR) significantly increases the rights of individuals over their data. As from 25 May 2018, the effective date of the Regulation, any person living in the European Union whose personal information is held by an organisation may invoke the various articles of chapter 3 of the Regulation, such as article 17 (Right to erasure or the ‘right to be forgotten’) or article 20 ( Right to data portability) and thus take control of their data
These measures are intended to give people back power over their personal data. To refuse or to fail to respond exposes companies to the maximum administrative penalties under the GDPR. That is to say, at least 40 million euro, and a maximum of 4% of annual worldwide turnover for the previous year.
So, what will happen if, come 25 May 2018, hundreds of people submit this type of request to the same organisation? Will it be able to respond, and if not, what will be its response to the regulatory authorities, and to its customers?
From awareness to action
Numerous studies have revealed the operational challenges of compliance with the GDPR. Access rights head the list. This is due to their strategic character – because a failure to respect these rights presents a financial risk and a risk to customer relations and the organisation’s reputation. But it is also their operational implementation that poses a problem, not least in the case of the right to be forgotten and data portability.
In a Deloitte study, 64% of organisations said that they had no idea how many applications they would receive from their customers, prospects or staff. They could be numerous indeed, like the 386 038 requests received by Google in the space of 18 months following a decision of the Court of Justice of the European Union (CJEU) to introduce a form for the digital right of erasure.
Will triggering individual rights provoke such a rush in the case of the GDPR? We can expect that it will, as demonstrated by a survey showing that 82% of European consumers think they would like to exercise their new rights. Confronted with this consumer appetite, enterprises seem resistant, since only 11% of businesses are expecting to automate their responses to requests for erasure. The rest have simply not thought about respecting the Regulation (21%), or expect to process every application manually, either in an organised way (42%) or ad hoc (26%).
Such results are perplexing, both in terms of customer relations management and because of the costs of such an amateurish approach. They are also perplexing for their security implications, since ad-hoc processing would certainly mean giving a group of people exhaustive access to these sensitive data.
The right to be forgotten, from theory to application
An information system is therefore essential if these requests are to be handled. In a general way, it is estimated that the IT project represents between a half and two-thirds of the costs of the new Regulation. The name of the Regulation is misleading because it implies that the majority of the effort will go into protecting data, whereas it also aims to improve access.
Most organisations lack an exhaustive and integrated overview of their customer data. Imagine your reaction if, having exercised your right to be forgotten with your provider, you receive an email promoting a new product because of the provider’s inability to erase all your data?
A 360° view of customers and employees is therefore a precondition for compliance with individual rights. The very great majority of organisations still lack such a 360° view. There remains very little time in which to acquire it. And the data lake is the modern environment in which to achieve this as swiftly as possible.
Regaining the trust of consumers
The challenge of the GRDP is to establish a relationship of trust in respect of personal information. One way to do this is to enable users to take back control of their data. Some businesses have taken up the challenge, to the extent of making their personal data access portal a key aspect of their communication. As Facebook did recently in Brussels, or Grand Lyon, MAIF, Orange and a few others, around the Internet think-tank Fing and its MesInfos (“my info”) project.
But this is the exception, rather than the rule. In dealing with the existing laws that already provide certain access rights, most businesses respond with systems that belong to another age. Some, for example, oblige their customers to send a letter by post to their legal department in order to obtain a paper copy of their data.
The GDPR sets the regulatory bar much higher. Above all, the Regulation is highlighting the new demands of customers, citizens and employees in respect of their personal data in a digital world. Quite apart from the financial risks, the impact of failing to respect these rights in their customer relationships is still riskier. Finally, the GRDP is a perfect opportunity for a business to draw closer to its customers, who will then have no reason to exercise their right to be forgotten.