More than a quarter of organizations globally are not prepared to comply with the European Union’s new General Data Protection Regulation (GDPR), which goes into effect today, according to a survey conducted by SAP Hybris.
In short, GDPR is all about personal data transparency and accountability on the part of data collectors. It requires companies with customers in any of the 28 EU member states to receive consent from individuals to collect and using their personal data, adding it can only be used for the stated purpose. It also gives individuals the right to see what data has been collected and calls for fast disclosure of any hacking or data theft event. Consumers can even ask to have their collected data wiped out, through the regulation’s so-called ‘”right to be forgotten.”
The types of data protected under GDPR include personally identifiable information (name, address, date of birth, etc.); web-based data (user location, IP address, cookies, RFID tags, etc.); health and genetic data; biometric data; racial/ethnic data; political opinions; and sexual orientation. Unlike a 1995 EU data privacy directive which it supplants, GDPR requires all member states to adopt the regulation.
In SAP Hybris’s survey of 165 executives in marketing and ecommerce across five continents, 26% of respondents said they either didn’t have a plan in place to comply with GDPR or weren’t sure if a plan existed.
Another 50% of respondents said they have a plan in place and have started implementing changes, while 23% said they have a plan but haven’t taken action to implement it.
Of the 50% who have begun implementation, SAP Hybris found, 61% used an internal expert from a non-marketing function to inform the GDPR compliance plan, while 39% used an outside expert or consultant.
Those who said they have no GDPR plan in place had some interesting perspectives. Forty-two percent said they didn’t believe the EU directive applied to them and 26% said they don’t collect the type of data protected under GDPR. Another 19% believe they still have time to act – even as the deadline is upon them.
Companies with no plan in place may either be taking a head-in-the-sand approach, mixed in with some doubts about the EU’s ability to punish non-compliant entities, especially abroad. Exactly how well EU and its member states will be able to enforce GDPR remains an open question that will be borne out over time. But is this approach worth the risk? Fines for non-compliance are hefty, ranging up to 20 million Euros or 4% of the company’s prior year’s revenue, whichever is higher, for failing to meet various aspects of the directive.
Enforcement issues may arise since companies are required to provide a “reasonable” level of data protection and privacy for customers, keeping it only when consent is given and storing it only as long as necessary, but the regulation doesn’t exactly define what constitutes “reasonable.”
Patrick Salyer, general manager of SAP’s Customer Data Cloud, said GDPR is more than just an EU regulation but is indicative of a “sea change” in terms of how brands interact with their customers, and what customers expect in terms of transparency, trust and options. He cited the recent issue with Facebook and Cambridge Analytica as a kind of watershed moment in that regard.
Beyond the penalty for non-compliance, brands face other risks from failing to update their consumer data practices, Salyer said.
“Yes, GDPR is a pretty heavy stick – if you don’t get it right, it could be 4% of your revenue,” Salyer said. “But we live in world where one consumer going online and tweeting about a negative experience in some ways can be a bigger risk. So it’s much more than checking the box on GDPR compliance. It’s a new way to think about how to develop relationships with consumers using your services or accessing your apps.”
The majority of respondents to the SAP Hybris study (56%) said they view GDPR as a responsibility to better protect customer data. Thirty-nine percent see it as an opportunity to provide better customer experiences while 37% view it as a chance to build customer trust and loyalty. Thirty percent saw GDPR as a call to action to overhaul organizational perspectives on customer data. A small percentage (10%) said it was an overwhelming burden they don’t know how to tackle.
The biggest impact of GDPR on customer relationships is by increasing awareness around data and security issues, cited by 65% of respondents, with increased trust and increased expectations for personalization improvements cited by 40%.
In the survey, 30% of marketers said they have completed a data audit in advance of GDPR while 25% have partially completed one. This included reviews of technologies and communication channels used to collect customer data that will be impacted by the directive. Another 20% said they plan to conduct an audit while 23% are either not sure if their company has conducted one or have no plans to dos so.
Of those who have conducted a data audit, 39% said it revealed they were further ahead in compliance than expected, with an equal number saying they had far more points of data collection than they thought. Not surprisingly, a third found customer data trapped in siloed, fragmented systems.