News and Insights
SHOULD YOU BE CONCERNED BY THE EU GENERAL DATA PROTECTION REGULATION?
Privacy rights existed in the past. What happens with the new EU legislation (GDPR) is a re-qualification of some of the principles of privacy, the addition of obligations and higher fines for companies as well as the strengthening of the individuals’ rights.
It is relevant for Swiss companies, because, in our global world, it is rare not to have any interaction with any European individuals. Furthermore, other legislations will follow with similar rules, including Switzerland.
Is that a heavy burden for companies? No. With a positive approach in mind, companies can turn these new obligations into a competitive advantage.
This article focuses on the reasons why GDPR applies to companies in Switzerland and what are the priorities when making the journey towards compliance. This journey is of relevance for the long term. And these new obligations may be turned into opportunities.
WHY GDPR APPLIES TO YOU AS A SWISS ENTITY/CORPORATION?
The new EU regulation applies to the personal data of individuals, from employees to clients and customers, as well as third parties’ interaction with a company: influencers, spokespeople, journalists, candidates, etc. Most principles are not new, thus the current pressure on companies is based on:
- the increased powers granted to regulators to enforce the new rules and impose significant fines for non-compliance,
- the application of the EU regulation to companies that control data of EU customers, regardless of the company’s location,
- the occurrence of confidential and sensitive data which means increased risks and a likelihood of focus by regulators.
While much personal data will be collected based on a legitimate interest or on the relationship between the individual and the company, personal information used for marketing, sales and prospect purposes also are essential to businesses.
GDPR is challenging the processing of behavioural data, (e.g. data collected from general website browsing) and transaction-related data (e.g. logging into an account to complete a purchase). Indeed, these activities are rich sources of information used to build customer profiles and segments. Institutions will need to review how they have obtained consent from clients and customers before continuing to collect data (so called opt-in). They also need to be aware that consumers may at any time request the company to permanently delete their data used for marketing purposes across all systems. Ultimately, this requires an internal set-up to erase or archive the given data.
As mentioned the risks of non-compliance can lead to monetary fines. Most important, however, is the potential damage to the company’s reputation.
WHAT ARE THE PRIORITIES WHEN MAKING THE JOURNEY TOWARDS COMPLIANCE?
It is important to focus on the data processing activities where the individual rights could be at most in danger or scrutinized by regulators and the public. We suggest starting with an inventory (also called data mapping) to assess the risks of being a data controller and set an action plan to mitigate these risks.
DESIGNATE A LEADER AND MAP THE ACTIVITIES
Designating a leader for the journey is key. It can be a compliance officer, but also a cross-functional team, involving legal, compliance, IT, HR and marketing stakeholders. The interests of all stakeholders need to be taken into account. Companies are often surprised by how much data is shared among business entities beyond the first purpose of collection. For example, employees’ data can be used by the security team to control access to the company’s buildings; email contacts of clients managed by the marketing team might be of value of the communication team, etc.
Information arising from the mapping exercise allows your organization to classify the nature of the data and to deploy adequate protection measures. Categories, such as personal sensitive data (related to health, religion, etc.) require an extra layer of protection. Data that were once personal might have gone through anonymization and as such are not relevant for GDPR compliance. Lastly pseudonymized data is data that cannot be attributed easily to a natural person anymore, however, this categorization does not overwrite the requirement of appropriate security measures.
RISK ASSESSMENT OF DATA COLLECTION
The collection of personal data is linked to the company’s field of business and the opportunities it sees in this information. Not every activity is relevant for GDPR compliance and it is worth taking the time and effort to map out the core businesses judiciously.
For example, when the activities relate to data of corporate customers, the resulting impact on privacy might be low to medium, because the type of personal data is limited to professional information about the representative of the corporation (such as a professional email address or office location).
On the other hand, the impact might be high where personalized services and individual client interaction are essential: complementary services offered by a bank to its most preferred clients, “concierge” services, etc. This data is personal, when not sensitive, and it is often stored in an unstructured environment.
Policies and clear guidelines are part of any compliance program. GDPR gives companies the chance to structure processes and continue to utilize individuals’ data. Here are a few examples of actions:
- Client information management: how do you collect personal data pertaining to the “client environment” (e.g. family information, browsing behaviours, cookies tracking for targeted advertising)?
- Retention and deletion: How do you manage the life-cycle of the data? What happens when the first purpose is completed, or the service contract terminated? Or when legal requirements to keep the information are extinguished?
Internal systems must allow deletion or anonymization in an automated manner or upon request from individuals. Good intentions need conclusive steps.
- Information duties: Do you have a clear and transparent message how you process personal data? We are moving from legalistic notices that no one reads to a user-friendly communication. This also covers the proper handling of individuals’ complaints and requests.
Internal governance on privacy: Companies must revise their internal practice about management of personal data. No one starts from zero, but a few steps must be considered:
- The relevant data processing activities must be documented.
- Data breach processes need to be reviewed to allow the notification of the loss or unauthorized disclosure within 72 hours. If individuals are affected by the breach, they will have to be notified as well. Besides potential fines, a badly managed crisis impacts the reputation of the company.
- Data protection officer: Think whether your company processes special categories of personal data, monitor people on a large scale in a systematic way or use profiling for automated decision. You must nominate someone to “pick up the phone” and drive compliance internally.
- IT involvement: IT is crucial to assess and approve the technical and organisational security measures. Are these measures covering internal data protection procedure, audit exercise, access control to the systems?
HOW COULD YOU TURN THE NEW OBLIGATIONS INTO OPPORTUNITIES FOR YOUR COMPANY/INSTITUTION?
A well thought-out organization and control benefit the whole company. Better compliance and personalized marketing are not mutually exclusive. A lean and deliberate approach will support marketing in focusing on the data that is relevant. Disposing of data mitigates security risks, and it also helps ensure that irrelevant data does not make its way into a future marketing message.
An appropriate database structure will lead to avoidance of duplicated processing and to a smooth data flow with effective cost reduction. It might also permit the archiving of legacy databases, which in turn free space in storage environments.
Finally, a transparent communication strategy towards privacy of individuals can create an additional competitive advantage.
We recommend integrating ‘privacy’ as a core principle of your company. On the long term, best practices such as privacy by design, privacy impact assessment and the right legal set up with third parties having access to data, will ease the daily work of effectively collecting data and managing it. Broad collection is benefiting no one and, to some extent, GDPR helps to focus.
Compliance is certainly a critical objective, if we consider the complexity of data structure transformation in the organization. Nevertheless, the opportunity goes beyond the avoidance of fines, and businesses can take a proactive stance with data protection and privacy communication to make them a true market differentiator.
– Caroline Perriard, BRANDIT Consult