The GDPR - we all know it’s coming and we all know we need to do something about it. What isn’t always obvious however is what to tackle first when the elements can be overwhelming - particularly with just under 6 months left.
As Head of Propositions for Experian in the UK and Ireland, I’ve been involved in conversations with many organisations and it’s clear that consent is front of mind. Whilst that is indeed critical for GDPR, it shouldn’t be at the expense of thinking about how you’re going to manage all your existing personal data assets. Having the right processes in place for dealing with data quality is fundamental to ensuring you can address all the actions stipulated in the regulation.
As you prepare for the GDPR, it’s easy to dismiss the importance of data quality to focus on other more ‘important’ aspects of the regulation. Data quality is not a new topic; it has featured on many ‘to-do’ lists before. It can be complex to deal with, so “why should I?” I hear you ask.
The GDPR is being introduced to raise the bar in the way personal data is managed and processed by organisations. It mandates that certain practices be adopted and be demonstrable – just read Article 5. Organisations must therefore create fairer and more transparent practices around the way they treat data; not just as a one-off exercise for next May but on an on-going basis. Meeting the requirements of Article 5 is key, but the need for maintaining the integrity of your data goes much further.
Where failure to have a strong foundation of good, accurate data could be a risk, the GDPR requires organisations to implement measures to mitigate this risk. Other ‘high profile’ requirements such as consent, data security and governance are often viewed in isolation but in fact also rely heavily on good data. It’s important therefore not to overlook data quality to focus on just these aspects - get it right first and you’ll be in a much stronger position to address these and other elements. Here are two examples of where data quality plays a critical role in wider GDPR requirements:
You’ll now have only 30 days to respond to an individual’s request for information on the data you hold on them; how it’s being used; what measures have been implemented to protect it; who has access to it etc. To fulfil these requests, organisations will need to identify every function and business unit that collects, stores and processes personal data. This is no small challenge in a market-place where the range of data sources is so varied.
Have you considered what you’d do in the event of thousands of requests being made at the same time? A ‘SAR attack’ against an organisation that has been singled out by activists could bring an organisation to its knees; the human form of a ‘DNS attack’.
Of course, this is a worst-case scenario, but it illustrates how important it is to be prepared. Having rigorous data quality practices in place will ensure you can confidently respond to any SAR request and will help simplify the way you deal with any erasure or rectification requests. It will also help minimise the risk of any reputational damage that you could suffer by either not responding to a request on time or being forced to disclose to your customers that you hold inaccurate information on them. Being able to demonstrate that you respect the data you are provided with will help foster better relationships with your customers through greater loyalty and trust.
We know the loss of personal data and the damage this can cause to a company is top of mind for many organisations. But, what can you do to prepare how you will respond in the event that a breach occurs and personal customer data is stolen? With the GDPR, the ICO is becoming more explicit in dictating what organisations should do once a breach has occurred. It needs to be reported within 72 hours and, if personal data has been stolen, all affected individuals need to be informed of the malicious activity within a reasonable time based on the sensitivity of the data taken. To do this, the contact data you hold on your customers needs to be accurate, complete and valid. If it isn’t, then how are you going to inform them?
Being compliant with the new regulation may be non-negotiable but let’s not forget the business positives that come with better data quality.
It presents the perfect opportunity to address some of the shortfalls that might affect the way you do business. It’s widely reported that poor and inaccurate data can have a negative impact on how well perceived your brand is. Rectifying these issues will help you to:
You can read more about the opportunities of the GDPR in our recent blog here.
Many people will be left scratching their heads at the enormity of GDPR compliance. Management and preparation of accurate personal data is a challenge for any team that comes into contact with it.
We recommend you start by building a clear understanding of where you are with your data preparations. Is it on the radar? What activities have been set-up to address this?
Next, to help grasp the size of the potential problem that you could be facing, we suggest you assess the personal data you currently have. This exercise will help you to understand where any gaps lie in the accuracy and completeness of this data.
As data quality experts, we can support you in this initial activity by analysing your data universe and returning a detailed breakdown of where any gaps exist. We have developed a GDPR service to support your data readiness that will help to pinpoint and solve specific challenges posed by its requirements.
We know that today, poor data quality remains an issue for many organisations. Our latest market report on the state of data quality highlights that 64% of business think inaccurate data is undermining their ability to provide an excellent customer experience . Come May 25th 2018, the onus will be on you, as custodians of individuals’ personal data, to ensure appropriate steps are taken to better understand the accuracy and completeness of the data you hold. For me, that means addressing data management and quality has to be part of the equation – ignoring it simply isn’t an option.
 Consumer expectation versus business reality - https://www.edq.com/uk/resources/papers/consumer-expectation-versus-business-reality/
Please note that while we can support businesses with their preparations for the GDPR, we cannot offer legal counsel or compliance advice.