What do UK data professionals see as the single biggest obstacle to becoming compliant with the new General Data Protection Regulation (GDPR)? It is tempting to name the usual obstacles - technology, skills, staff training. But 62.9% say it is actually agreeing on the interpretation of GDPR, half as many again as pointed to implementing or fixing technology (45%).
That is according to new research carried out by DataIQ in association with Experian which highlights that the main reason why only 15.3% of organisations say they are very prepared for the new law is simply that it is hard to understand. Hardly surprising for a regulation that contains 99 articles, over 100 pages of recitals and which has left much of the interpretation in the hands of the WP29 to deliver. That guidance has been slow in coming, leaving businesses to make decisions on uncertain assumptions.
One way to respond to this is by viewing GDPR as not only enabling consumers with new rights, but also creating a new relationship between them and brands. As Rebecca Hennessy, director of market strategy at Experian Data Quality, says: “Although daunting, the GDPR should be seen as a chance to transform a business for all the right reasons. Its provisions promise to enforce responsible data practices that can only improve relationships with customers.”
What our research reveals is that there are very few places to hide in this new framework, from the frontline of privacy policies to the backroom of data preparation. As consumers become aware of their rights, they will be more critical, demanding and selective of organisations they choose to engage with.
Companies have recognised this with 71.9% either having already reviewed and rewritten their privacy notices in line with GDPR or having this in hand. Transparency is a big aspect of data protection law - and has been under the existing Data Protection Act - but the need to be clearer about the purposes for which data is being collected means organisations can not use blanket terms or vague descriptions. Specific uses have to be explained otherwise data can not be processed.
In our digital economy, data proliferates. Each new channel, service and device throws off new layers of personal information that have great value and can also be very sensitive - that is precisely why the GDPR was introduced in the first place. Getting to grips with what data is being collected, where it comes from and goes to is a major step towards compliance.
“Significant numbers of organisations have identified third parties with whom they share data, performed company-wide data audits, and have classified and documented data types. These are activities that were lacking even just 12 months ago,” points out Hennessy.
During the course of these audits and reviews, organisations will start to become aware of the level of risk that data can potentially introduce into the business. They may even recognise that their existing business model is challenging under the new legal framework.
In fact, one third expect GDPR to have a high level of impact and this anxiety is spread across companies at every level of maturity in their adoption of data and analytics. You could argue that this is simply a realistic perception of the Regulation’s complexity, scope and powers. That much is clear in the fact that only 5% believe there will be little or no impact on their business - most of these are in the Advanced group who may believe they have already got their houses in order.
A counter-argument to this can be found in the capabilities which organisations have around measuring the quality of their data. Under the existing DPA. personal information is meant to be kept accurate and up-to-date, with consumers having the right to make corrections. GDPR adds to this by giving consumers rights to refuse consent to their data being processed and to withdraw consently as easily as it is given. If they discover that their personal records contain errors, it is easy to imagine them exercising those rights as a protest.
Yet 27.9% of companies only measure their data quality at the point when it is used - the most common practice and the very moment when it is too late to do anything about it. This behaviour is as evident among the Advanced and those Reaching maturity as it is among those still in the Early stages of data and analytics adoption.
One fifth of companies do not measure their data quality at all and while this is more typical of less mature data organisations, this should be a basic step for any company processing personal information. Why risk that hard-won relationship with a customer by allowing a simple error to slip through?
Unlike GDPR, data preparation processes and solutions are mature and relatively easy to implement. They fit well into digital environments and have a clearly positive impact on the business. Even better, they can form part of the proof that an organisation is being accountable for the data it holds by showing that it cares about its quality.
Adopting that viewpoint should be at the heart of current compliance projects because the benefits go far beyond just meeting the new law’s demands. As Hennessy says: “We firmly believe the GDPR presents a positive opportunity to transform the way you organise and process your data - increasing the value you derive from it and reinforcing customer-centric business practices that are essential in our data-driven age.”
Access full report, “GDPR and data preparation: Ready to do business?”, by DataIQ in association with Experian.