It’s officially the last minute. As the May 25 deadline for the EU’s General Data Protection Regulation (GDPR), concerns about lack of preparation are escalating. Those companies that are just getting started, or have a lot of work left to do, should make sure they have set the right priorities and tackle them with laser focus.
Before diving in to the complex requirements outlined in GDPR, many companies think they will only need to focus on their corporate website. This is often how marketing groups end up spearheading compliance for this new set of rules. Marketing teams that find themselves in a GDPR leadership role need to understand they are not likely (or able) to achieve optimal results going it alone. They should start by evaluating the need and strategy for a comprehensive company ecosystem approach involving, at a minimum, legal, IT, cybersecurity teams and extended partner ecosystems.
If your company has waited until the last minute and is still in the early stages of implementing a GDPR program, focus on establishing a ‘risk ready’ posture. At a minimum, develop a “prove you are taking this seriously” stance that hinges on detailed strategic planning and immediately getting teams aligned behind top priorities.
Keep your priorities straight
You can be sure that regulators are taking privacy concerns seriously. Due to the recent rash of high profile data breaches, the spotlight on privacy controls burns brighter than ever. These stories are not only hot topics in the public sphere, they illustrate starkly why privacy matters. It’s no longer just a matter of compromised credit cards; in many cases personal safety and the integrity of critical systems (e.g., finance, government, infrastructure) is at stake.
In Europe, laws like GDPR codify individual privacy as a fundamental right. U.S.-based companies should integrate this perspective as they work to comply with GDPR, HIPAA, and future regulatory developments. While some companies may be trying to simply check-off consent requirements or establish “legitimate interests” justifications, true privacy controls that address the full complexity of GDPR—and the rising challenge of maintaining customer trust in the digital era—have to dig deeper.
The ecosystem approach
For most companies, GDPR compliance activities will go way beyond marketing and public-facing websites. Legal help will be required to interpret the requirements and evaluate existing and new privacy policies. Technology teams will have to help with data flow analyses, data inventories, and audits. Cybersecurity experts will be called on to address encryption, privileged access, payment systems and database protections. Legacy systems may prove to be a particular challenge for IT and infosec teams, especially when it comes to the “right to be forgotten.” Engineering may need to address product-based privacy controls (especially for IoT-enabled products).
Marketing, of course, is in a unique position to handle customer- and public-facing communications and consent-based interactions. All departments will have to manage their (sometimes interlaced) third-party ecosystems, ensuring that vendors processing customer data are also GDPR compliant. The more closely these stakeholders collaborate, the more complete and effective compliance preparations will be.
A documented, enterprise-wide effort is sure to be viewed more favorably by regulators than one that only touches on websites and other obvious customer touchpoints. Marketing leaders can use their special skills to sell GDPR preparations as an ongoing and meaningful opportunity for the enterprise to get its data game together and build stronger, more sustainable customer relationships.
After the deadline
For all companies, but especially for those just now starting this journey, the work isn’t over at the end of the month. Enforcement will certainly increase and change over time; it’s important to follow these developments and reconfigure policies and processes accordingly. To ease the burden of GDPR and similar regulations, marketing and other departments will need to automate data privacy processes, from tracking data flows and streamlining “forgetting” procedures to systematizing vendor assessments and onboarding.
Incident response and breach notification processes will have to be planned, rehearsed and fine-tuned; be sure to include representatives from all relevant teams (from the CFO to public relations). Building in checks and balances (e.g., data governance workflows, risk management reviews) between functional departments will help close any gaps and avoid a scenario where marketing is left with all the responsibility and liability.
Keeping the focus on customer empowerment, which is the underlying intent of GDPR, will help ensure that policies are developed with the public in mind—clear, complete and free of jargon or obfuscation. This orientation should also help the marketing team shape their strategic plans and bring much-needed focus to improving data-driven marketing practices.
GDPR should be good for business
Privacy regulations like GDPR center around increasing transparency and control from the consumer’s perspective. This may be unnerving to marketers, but it’s the direction customer-driven products and services are moving in. Systematized processes that increase data transparency and control across the enterprise will reap benefits well beyond customer trust. Better data governance will reveal high quality insights for marketing and business operations. The ecosystem of partners and vendors will be made stronger by enhancing supply chain management to ensure control over data flow and processing. Once systems and processes are in place, cost savings should result from smarter, more efficient use of higher quality data pools.
In general, bringing marketing, technology and operations practices into close alignment with GDPR requirements should go a long way toward building a culture of privacy, security, and accountability across the organization. This leaves the enterprise more prepared for the challenges of digital transformation, global competition, and cyber threats.
Working within the limits imposed by GDPR requirements may initially feel burdensome, but such discipline can compel organizations to re-center and drive innovative problem solving. Marketing departments have faced a rapid-fire series of daunting, but ultimately metamorphic, challenges over the past twenty years. It’s time to dive in to GDPR, keep the customer front and center, and become a champion of privacy—with an eye on enriching your brand, business, and brilliance on the global stage.
Paul Sonntag is practice director of global privacy at Coalfire.
Related Articles: