The General Data Protection Regulation is a tough regulation and with the sheer amount of change it entails, most of the impacted companies are prioritising areas that will be compliant on day one of post-GDPR era. Prakhar Agrawal, assistant vice-president and GDPR practice lead, consulting, at EXL, looks at the avenues available.
The prioritisation criteria a company chooses is a sum total of many factors, such as existing privacy maturity, risk appetite, and the nature of business. A careful reading of the 99 articles and 173 recitals will reveal that rights and freedoms of individuals are at the heart of GDPR.
As companies define their target maturity state and compliance road map, there is a tremendous opportunity for putting forth their brand as one that customers can trust. Come 25 May, the real beneficiaries will be companies that put customer experience at the forefront of their delivery plan and revisit data processing activities that are likely to cause most detriment to customers.
GDPR offers many avenues for companies to enhance customer experience and the core of customer centricity can be summarised into three facets, as below.
Be transparent and fair
Transparency and fairness are foundational pillars of privacy. Under GDPR, a company will proactively tell its customers what data it collects, how it intends to use it, where it intends to store it, who it intends to share the data with and when it intends to dispose of it, in an easy-to-understand privacy notice. Customers can make informed decisions on whether they want to provide their data, indicating their agreement by opting in and providing valid consent, where relevant. The company will limit data processing to the intended purpose and period.
Being transparent and fair is not a one-and-done exercise; it is rooted in a company’s customer engagement practices. Under GDPR, a company will offer adequate choice and control to customers and allow them to change their preferences at any time. The company will empower customers so they can control their data and the way it is processed, honouring their requests for updating or erasing it.
The company will also need to give details of their data in an acceptable format, facilitate objection to or restriction of specific types of data processing, and allow manual intercession in an otherwise automated decision. Lastly, the company will provide privacy and security-friendly default settings in all its products and services.
Companies are custodians of customers’ personal data and so are expected to act responsibly. Under GDPR, a company will not only take utmost precaution to ensure its data processing is accurate and secure but also be prepared to promptly notify customers in case of a data breach.
They will also have to provide mechanisms for prompt and fair handling of complaints, provide written responses in cases where its legitimate interests outweigh customers’ rights, analyse and address any envisaged risks and impact to customers prior to undertaking a new data processing operation, and only engage with suppliers that can provide at least the same level of data protection and assurance.
Internally, companies will need to promote pro-privacy culture and train its staff to handle customer data appropriately.
There is an upswing in GDPR adoption in 2018 and it is unsurprising to see most companies undertaking a risk-based prioritisation approach, especially as it is well acknowledged that the amount of change is high and there is a need to focus on some areas more than the others.
One thing seems certain – GDPR was designed to change the way companies interact with customers so the real beneficiaries will be companies who put customers in the forefront on their implementation plans. A customer journey is a multi-step endeavour and an individual’s personal data is processed in myriads of ways at every step, especially with today’s advanced computing power.
Customer experience starts at the very first step and if a company embeds the three facets in its values, there will be greater likelihood of onboarding and retaining a customer, which ultimately is the core business objective.