GDPR and the Customer Identity Imperative
As if news of Brexit and The Donald isn’t already enough to shake things up in Europe and the United States, respectively, we can also look forward to the impending temblor known as the European Union’s General Data Protection Regulation (GDPR).
Once May 2018 rolls around, GDPR will take effect and force a change in how personal data is handled — for both European organizations and non-EU organizations processing EU customer data. And while it promises greater strides toward protecting EU customers’ data, it’s not without some collateral consequences. Specifically, it poses new challenges for businesses in how they balance regulatory requirements with meeting consumer demands and expectations in the Digital Age. For example, it might have some marketers asking, “How can I deliver a personal experience across touchpoints if I can’t gain access to and use customer data?” So, with this in mind, it’s time organizations take another look at how they currently manage consumer identities. Ideally, in 2017, they will adopt processes and technologies that support both the updated data protection framework and their business need for positive online interactions with customers.
The GDPR borrowed liberally from its predecessor regulations, so not everything in it is new. But it does strengthen and significantly increase regulatory requirements, giving consumers more rights than ever. For example, the GDPR requires mandatory consent, definition of purpose for the use of personal data, and the right to be forgotten. In other words:
- Organizations must obtain consumer consent before any personal data can be processed.
- Consent must be given for each use if the data is to be used for several purposes, and there must be technical evidence that consent was given.
- The right to be forgotten (which was already in existence) now includes the right to freeze data processing and the right to export personal data and edit it.
It’s clear that, from a compliance perspective, an organization’s ability to identify the customer and enforce his or her preferences and consent decisions across devices and touchpoints is more important than ever. But it’s also true from a business perspective. Why? In the Digital Age, personalization and trust are the name of the game — and quite frankly, the best way to gain and keep customers and nose out the competition. Winning the hearts and minds of customers begins with closer online relationships characterized by three core elements: convenience, trust and personalization. This means that interactions must be easily navigable; the customer must believe that the organization provides a quality product or service and is transparent in how his or her data will be used; and the organization must take time to customize interactions with its customer.
Along with the carrot of encouraging deeper customer relationships, GDPR wields a big stick: Violations can result in fines up to 4 percent of annual revenue or 20 million Euros – whichever is greater.
To better support the balance between compliance, user consent and delivering the best possible customer experience, organizations’ approach to managing consumer data must evolve. At the very least, it requires a move from point solutions or siloed consumer data management to a centralized customer identity management platform. This will ideally provide the following:
- Advanced profile management with end-user preference management options
- Ability to build complete consumer profiles (correctly link various login credentials to a single consumer across an organization’s entire range of back-end systems, including CRM, ERP and others)
- Customized registration and login flows that are compliant with each region’s specific mandates (and also easier to navigate — and tolerate — for customers)
- Ability to conduct data protection impact assessments
- Timely breach notifications and incident management
With May 2018 here before we know it, there’s no better time for organizations to find and implement advanced customer identity management platforms and establish the proper processes. Doing so will ensure regulatory compliance, foster strong relationships and trust between an organization and its customers, and ultimately make the transition to GDPR as seamless as possible. We’ll see if the other transitions in the near future will go as smoothly.
About the Author
Patrick joined Gigya in 2007 and has led the company's vision, strategy and operations. Before joining Gigya, Patrick co-founded a social applications company and served as a consultant for L.E.K. Consulting, a strategy consulting firm. Patrick holds a bachelor's degree from Harvard University.
Edited by Alicia Young