In order to comply with the General Data Protection Regulation (GDPR), which harmonizes data privacy laws across the European Union, affected companies will be expected to detect, locate and access all of the EU personal data they control. This includes data that a brand may have shared with others, such as data processing partners or a dealer network, data acquired from third parties and data that has been sitting unused in a repository for years.
What’s more, in order to respond to the most basic of the data subject rights — namely, the question “Do you have any of my personal data?” — data controllers need to be able to identify and pull together all of the personal data for a given individual. (The GDPR distinguishes between data controllers — the companies that determine the purpose and the means of data processing — and data processors, which carry out processing at the direction of a controller. Data processors have no direct obligations under the data subject rights, other than cooperating with their data controller partners.)
For many companies, however, the irresistible force of this regulatory obligation will meet the immovable object of their data architecture and strategy (or lack of same). The personal data of a single customer could easily be held in dozens of systems and repositories — such as CRM, content management, email campaign tools, personalization platforms, fulfillment systems, sales records, and innumerable employees’ PCs and thumb drives, etc. — with little or no coordination or communication between them. For firms without an actual or virtual data aggregation layer, the first, indispensable step towards GDPR compliance — an exhaustive and comprehensive personal data inventory and audit — will be a huge challenge.
And yet, climbing this inventory Everest is not only unavoidable for affected firms, it can also deliver substantial business benefits. The obligation to thoroughly understand and rationalize data storage and usage is also the opportunity to create a clean and solid foundation for more efficient and productive use of personal data that could easily turn into a competitive advantage for the long haul.
Veritas Technologies estimates that, on a global average, 52 percent of all data stored by organizations is “dark” — collected and stored during normal business operations, but otherwise unused — and another 33 percent is “ROT” (redundant, obsolete or trivial). Identifying and removing a large volume of unused personal data already reduces a firm’s GDPR risk profile. The next step — aggregating data about individual consumers and making it accessible by teams throughout the organization — can trigger a virtuous cycle that transforms GDPR requirements into business benefits. Consider:
- Upon completing the hard work of the data inventory and audit, marketers and others will have far better insights into both the complete scope of the (compliant) data they can draw upon when engaging an individual consumer or a segment, as well as the value that the processing of the data produces for the company and the consumer alike.
- Armed with these insights, marketers can describe with far greater precision the benefits consumers will receive in exchange for their data — and more certainly that the benefit will be delivered, thus satisfying the consumer and building trust.
- The feeling that the company is trustworthy will encourage consumers to provide consent for additional collection and processing of personal data, which in turn provides still better insights, and still more precision in understanding and meeting customer needs. Companies that achieve early success with such trust- and consent-based exchanges could build a substantial competitive advantage.
Of course, this virtuous cycle is based upon the assumption that granting consumers more control over and understanding about how their data is used makes them more likely to provide more — and richer — personal data. And this is precisely the conclusion of Accenture’s latest Global Consumer Pulse Survey, which found that consumers demand and reward highly personalized experiences, but at the same time express reluctance to provide the personal data necessary to power them.
The only way to escape from this double bind, Accenture concludes, is to provide consumers with more information about and control over their data… which is exactly the primary aim of the GDPR. This suggests that the best reason to comply with the GDPR is not to satisfy regulators and avoid large fines, but rather to satisfy consumers and avoid the revenue losses that occur when they abandon you for a more trustworthy provider.