GDPR: A Competitive Advantage?

Gordon Wade, BBLS (NUI), LLM (Dub.), OTCP, Attorney-at-Law (NY), Solicitor (Ireland, England & Wales); Data Privacy Lawyer at PwC Legal Middle East, Dubai, UAE. This article is a (heavily) edited version of a chapter written by the author in the upcoming title, Wade, O’Brien & Hughes, A Practical Guide to Privacy and Data Protection, Chartered Accountants Ireland: Dublin, 2019.

The requirements under the GDPR to enforce a culture of good data protection practice, consistency by design across the organisation in terms of harmonising data systems and implementing data protection and reporting structures should give organisations the incentive to review and update current operational procedures and capabilities. Adherence to the core principles of the GDPR – transparency and accountability – gives an opportunity to turn respect for consent and protection of privacy into market differentiators.

     I.        Data Analytics

Applying the GDPR practically to the issue of data analytics, we will recall that the core principles of data protection include the requirements that the data in question must be:

·      fairly and lawfully obtained and used;

·      adequate, relevant and not excessive;

·      accurate; and

·      secure.

Similarly, from a data analytics perspective, for the analytical process to work at its true potential, the data involved needs to be data needs to be:

·      clean;

·      up-to-date;

·      adequate;

·      accurate;

·      relevant; and

·      used in a manner acceptable to customers.

When a data set has all of these qualities, strategic business forecasting and risk management can improve. When an organisation’s data is accurate and current, it can carry out extensive data mining and predictive analytics exercises, giving it the ability to make accurate data-driven decisions, and forecasts on future consumer/customer behaviour and scenarios based on clean, reliable data.

  II.        CRM Database

The opportunity presented by the GDPR lies in the fact that instead of giving customers a simple yes or no option when asking customers about data, businesses can now provide them with a range of options so that they can find out exactly what they are interested in. Through opt-in consent, businesses can gain insight into each individual’s interests in order to provide them with information that they want to receive and that they value.

Where a business cannot say whether a individual gave the GDPR-compliant consent to process their personal data, it cannot process that personal data and should securely dispose of it. By cleansing and fine tuning the CRM database, the business is left with a database of highly relevant leads and customers who:

·      have actively opted into marketing communications and genuinely interested in hearing from the business about its products or services;

·      are clearly defined and are more open and engaged;

·      produce higher click-through and conversion rates;

·      are loyal; and

·      are more likely to provide valuable social sharing.

 III.        Records Management

In order to a detailed register of processing activities carried out, an organisation will need to carry out a firm-wide data audit. This audit will enable the organisation to better understand the data that it has and an organisation that really understands its data will be able to:

·      detect and cleanse the system of ROT data the organisation unnecessarily holds (such as former customer personal data);

·      by removing sensitive ROT data, reduce the business risks associated with the storage and processing of same;

·      minimise the data collected going forward which will help reduce storage costs and generally refine and better organise storage;

·      refine the data management process by implementing a globally searchable and indexed register of personal data held;

·      more effectively and efficiently handle access requests for deletion / right to be forgotten whilst working with accurate, searchable and accessible personal data.

Carrying out a data audit, compiling that data into a properly structured data register that is aligned with how the business actually works and complimenting this with an implemented records management policy that is regularly reviewed, tested and updated can lead to:

·      timely and accurate customer interactions (e.g. responding to access requests);

·      company is more agile and responsive to regulatory requests;

·      company can react quicker to changes in market conditions to secure a competitive advantage;

·      reduced storage costs by reducing/removing extra copies (data has been streamlined);

·      less wasteful marketing campaigns (fewer bounce backs and higher click-throughs);

·      lower security risks (there is less data in the server); and

·      cleaner, up-to-date, more accurate and more relevant data (key requirements of the GDPR).

 IV.         IT Security

Under the GDPR, organisations are required to implement appropriate technical and organisations measures to, amongst other things, ensure a level of security for the personal data that is held and processed appropriate to the risks. Consumers worry about the security of the data they hand over to organisations so companies that can demonstrate that they are committed ensuring the security of the data they process and will achieve this through the deployment of privacy-enhancing technologies will compete more successfully in the market. For example:

·      implementing state-of-the-art security software and privacy technologies will help ensure generate and build customer trust and loyalty;

·      restricted-access security protocols and data compartmentalisation security settings can help to ensure that data is only shared with those authorised which adds a further layer of security to the data; and

·      privacy enhancing technologies such as encryption and pseudonymisation help to ensure that even if there is a breach, the data will still be secure.

   V.        Reduced Costs

The European Commission stated that the GDPR has the goal of “reducing fragmentation, strengthening consistency and simplifying the regulatory environment, thus eliminating unnecessary costs and reducing administrative burden”[1]. By prompting organisations to retire irrelevant data inventory software and legacy applications and by following the GDPR’s mandate to keep the data inventory up-to-date, organisations can significantly reduce the cost of storing data by consolidating information that is present in silos or stored in inconsistent formats. Further, the organisation can free itself of data maintenance costs, which otherwise would have been incurred in the form of technician-hours and infrastructure maintenance.

 VI.        Organisational Culture

It is essential for organisations to develop an atmosphere where personnel have a responsible attitude towards privacy and data protection – indeed, creating a culture of privacy is integral to helping employees make decisions that best protect both customer information and the interests of the business. The GDPR introduces at its very core that the principles of accountability and transparency go beyond simply complying with data protection principles – they imply a culture change. Failing to implement a culture of data privacy could mean that:

·      no culture of awareness regarding the importance of (and consequences of not properly handling) personal data is created;

·      staff are not empowered and are left having no idea about what data can and cannot be used for under the GDPR which further undermines any investment made in data and records management tools, IT security etc.;

·      the ability of the organisation to fully demonstrate that it did all that was reasonable in response to a data-related incident is compromised; and

·      it becomes difficult to develop a proper strategic plan because there will not be buy-in from all levels.

Firms that embrace privacy as part of their strategic business culture will have the opportunity to signal to their customers, employees, partners, and other stakeholders that privacy and data protection are core corporate commitments. The UK Information Commissioner, Elizabeth Denham, strongly advocated for a culture of privacy when she said:

“I want to see comprehensive data protection programmes as the norm, organisations better protecting the data of citizens and consumers, and a change of culture that makes broader and deeper data protection accountability a focus for organisations across the UK”.[2]

VII.        Data Ethics

E-commerce and the new Digital Age revolve around technology, digitalisation and the exchange of information can raise certain ethical issues. Truly ethical organisations do more than just comply with the GDPR; they also follow its spirit and vision by listening to their customers. The implement credible and clear transparency policies for data management which ensure that they are accountable for what they do. They process only such data that is actually necessary, they cultivate privacy-aware corporate cultures and they develop products and services using Privacy-by-Design. Competitive advantage can be secured through:

·      having customers feeling comfortable and safe during their interactions with the brand which builds on those foundations of consumer trust;

·      the more trusting customers are of how ethically you treat their data will create even deeper brand loyalty which means customers will more readily adopt new products and services when introduced;

·      increased pace of innovation and collaboration; and

·      a thorough understanding of the data supply chain identifying that third parties, through sales, storage, sharing, or any other means, have access to the organisation’s data[3].

[1] European Commission, Commission Staff Working Paper Executive Summary Of The Impact Assessment, SEC 2012, available at https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=SEC:2012:0073:FIN:EN:PDF at pg. 4.

[2] Elizabeth Denham, UK Information Commissioner, speech given at the Data Protection Practitioners' Conference, Manchester, UK, 6 March 2017, transcript available at https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/03/data-protection-practitioners-conference-2017/.

[3] Kord Davis & Doug Patterson, Ethics of Big Data (O’Reilly Media: California, 2012) at pg. 53.