This is the second post in our blog series about the European Union’s General Data Protection Regulations, which came in to full effect last month (25th May 2018). Last time we looked briefly at what’s new in the regulations and what this means for any company, worldwide, who is capturing and processing the personal data of EU citizens.
This time we consider what it takes for organizations to be ‘transparent’ and ‘lawful’ in their data processing and explore how the underlying principles of the GDPR, when applied more widely across an enterprise can help them align with changing customer expectations.
Transparency and lawfulness
The GDPR requires that organizations processing personal data do so lawfully, fairly, and in a transparent manner. Transparency is key principle of the new regulations and Articles 13 and 14 detail what companies must tell individuals when collecting their personal data, including how the data will be used, who it will be shared with and how long it will be kept. This is known as ‘the right to be informed’ and is required to comply with the regulation’s strict transparency rules.
Once an individual’s personal data has been collected, companies are then required to identify a valid reason for using it. This process must be documented as accountability is another key element of the GDPR. Each valid reason is known as a ‘lawful basis’ and to process personal data lawfully under GDPR you must meet one of these. There are 6 in total; 1. Contract, 2. Legal obligation, 3. Vital interests and 4. Public task, are specific and concern relationships with or responsibilities to individuals, 5. Legitimate interests, is more flexible but requires a reasonable expectation or compelling reason and a minimal impact on privacy, and finally 6. Consent.
Consent and control
Consent offers individuals the most choice over how their personal data is used and under the GDPR the standard is high. Consent must be documented, explicit, willingly given and capable of being withdrawn.It should also be granular, allowing individuals to consent to some things and opt out of others. Consent, under the new regulations, gives control back to the individual, and control along with transparency and accountability are the cornerstones of the GDPR.
The good news for companies is that looking beyond the new regulations, giving individuals control over how they interact with businesses actually builds trust and increases customer satisfaction. This demonstrates a noticeable shift in customer expectations too. Today’s customers are less passive in their relationships with the companies they do business with. They demand more choice than before and companies would do well to give their customers ways to exercise this.
Implementing a comprehensive preference management solution may well be one of these. Companies who can deliver customer communications through multiple channels, whether marketing messages, transactional information, policy documents, T&C’s etc. while giving individuals control of this process through an interactive preference management tool are providing their customers with the choice they are looking for. For the purposes of GDPR this can also provide a transparent and simple way for reviewing consent.
In our next blog we’ll look further at the rights of individuals under the GDPR. We’ll examine how customer information is captured, stored and managed within ECM systems and archives and explore whether this could be a barrier to GDPR compliance and if so what companies can do about it.
For more information about CrawfordTech’s preference management solution, PRO Preference Manager, click here.
This is part of a series of blog posts on GDPR. Read them all!
Your Enterprise Content Management System and GDPR
The General Data Protection Regulation
Fine Grained and Coarse Grained Records Management
Is Your CCM Archive Compliant?
Keeping Data Secure – Your Responsibilities Under the GDPR Part 1