GDPR best practice use cases highlight burden and opportunity

Mark Samuels Profile picture for user Mark Samuels February 8, 2018
Marketing executives and IT decision makers can help organisations cope with growing customer concerns and regulatory pressures.

GDPR compliance notes dated 25 May 2018 with office tools © Stanislau_V -
Marketing and technology executives must use the impending General Data Protection Regulation (GPDR) deadline as an opportunity to improve data management policies and boost customer trustworthiness.

That was the conclusion from an expert panel at an event held by RSA Security in London this week, which discussed the role of marketing in an age of risk. The event coincided with the release of research from YouGov, on behalf of RSA, which surveyed more than 7,500 European consumers.

More than three quarters (78%) of respondents said company reputation relating to data handling made an impact on their buying decisions. Over two thirds (69%) would boycott a company that repeatedly showed no regard for customer data.

Growing concern from consumers about data use comes as major organisations prepare for the implementation of GDPR on May 25. The regulation includes arduous data management requirements and big penalties for businesses that fail in their obligations. Businesses, and their employees who process data, must be ready.

Creating a consistent approach

Suzanne Carter-Williamson, marketing director at National Dance Company Wales, believes smart organisations will use the regulation to create an effective approach to information management. She said GDPR has helped her company to understand the importance of compliance, to bring people together and to help overview its processes:

The regulation has made us question our data and that’s reassuring. We’re lucky as a touring company that we have our own box office system that’s easy to audit. When we go to different venues, we must make sure their systems are rigorous. People must understand the seriousness of data management and security measures. We try and lead and advocate how people in other organisations can take responsibility.

Carter-Williamson said the key lesson from her preparations is executives in all areas of the business should embrace GDPR. Analysing the impact of the regulation has helped the company boost accountability. She said organisations that are unprepared must focus on creating a consistent approach to data management:

We’ve gone through a mapping exercise and seen which areas are robust. The mapping exercise has helped us define what we do next. It’s an opportunity to think about how we use data and that approach makes us feel secure. I’ve found knowledge from talking to similar arts organisations. We’ve shared best practice legal advice and asked questions. You must get staff aware of GDPR, so everyone realises where additional training can make a difference, particularly across your disparate data entry points.

Developing a proactive strategy

Helena Theakstone, head of digital at retailer Oasis Fashion, has digital marketing, design and development, and customer services, as part of her management remit. She said this elevated position gives her the opportunity to take an organisation-wide view and see how data is being used across the business and by its partners:

When we take on any new suppliers, we go through our legal advisors and look at their privacy statement. When they’re not up to scratch, we won’t work with them. We’re very strict. We’ve also created a council to look at new projects and suppliers. We have key senior stakeholders in the firm from different departments who assess our processes and ensure everything is done properly. That is key in terms of educating people across the organisation and helping make sure we’re working with the right suppliers.

Theakstone said Oasis’ preparatory work for GDPR has so far focused on privacy statements and terms and conditions. She said proactive work is crucial for customer-facing organisations. That sentiment is backed up by the RSA research, which suggests consumers are willing to reward responsible companies, with 50 per cent more likely to shop with a business that takes data protection seriously:

We’ve got to be seen to doing the right thing to stay competitive. The risk of fines is a key motivation. We want to do the right things by the customer, and we always have and will, but the potential financial impact could he huge, too. I think everyone in the organisation has GDPR front of mind now because we’ve spent the past year talking about it.

Taking executive responsibility

Chris Daly, chief executive at the Chartered Institute for Marketing, also recognised a large proportion of media attention surrounding GDPR has focused on financial penalties. The regulation includes fines for data breaches by companies of up to €20m or 4 per cent of annual worldwide turnover, whichever is greater. While potential costs are severe, Daly advised senior executives to view compliance as a spur for innovation:

A lot of people focus on the fines, but from a marketing perspective, there’s a great opportunity to re-gain the trust of your customers. Rather than just focusing on communications, you can use data to focus on experiences and help support the development of the brand. If your brand can’t deliver, your customers will go to one that can. Ethical use of data will help you to build trust.

While Daly recognised the importance of data-led insight, he also suggested many organisations are struggling to get ready for GDPR. He said senior executives should view the regulation as a learning exercise. In many cases, that education process will require a fundamental change in approach to ensure compliance:

Ignorance is not an excuse. It’s important that GDPR is viewed as an across-the-board responsibility. You can’t stand still – the pace of change will only increase. You want loyalty and that requires a professional attitude. Create departmental data protection officers and work across the organisation to create brand and customer loyalty.

Anthony Lee, partner at law firm DMH Stallard, also referred to the need to appoint a data protection officer (DPO). The regulation makes it a requirement for organisations to appoint a DPO in certain circumstances, leaving some executives to question whether the appointment is mandatory. Lee provided clarity:

Public sector bodies must have a DPO. If you’re a private enterprise, and you’re handling a lot of personal data, then you need to ask yourself the question whether it makes sense to appoint a DPO. Many organisations will still appoint an officer, so that someone in the organisation is grabbing the issue, making recommendations to the board and helping to drive change.

My take

It is encouraging to see organisations using GDPR to not only comply, but to boost customer satisfaction. However, there was a tangible sense of concern at the event that too many businesses are unprepared for the May deadline. Executives must act now – failure to prepare for GDPR could result in big fines and lost customers.

A grey colored placeholder image