· Tech watch

GDPR, what impact for companies outside EU ?

Consumers have long wondered what Google and Facebook know about them, and who else can access their personal data. But the giants of the Internet have always struggled to give clear answers to these questions, even to questions as simple as “Why is this advertising shown to me ? “.

After four years of preparation and debate the GDPR was finally approved by the EU Parliament on 14 April 2016. Since the 25th of May 2018, GDPR is replacing the Data Protection Directive 95/46/EC that was already an answer to the division of privacy regulations across the EU.

In this article, we will go through the purpose of the GDPR and its scope, then we will see why GDPR should be seen as a good opportunity for the companies. We will also compare GDPR with local laws in Singapore, Hong Kong and finally we will go through the different actions a company have to achieve to be compliant and how the CIAM software can help with that.

image GDPR
Designed by makyzz

1. GDPR aims to give control to EU subjects on their personal data

It is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.

GDPR is based on an old set of principles that still hold true today. These Guidelines about Data Protection and Privacy were adopted by both EU and US in 1980, and are articulated around 8 principles :

  • Collection Limitation Principle
  • Data Quality Principle
  • Purpose Specification Principle
  • Use Limitation Principle
  • Security Safeguards Principle
  • Openness Principle
  • Individual Participation Principle
  • Accountability Principle

These guidelines were used as a basis by many nations to define their laws regarding data privacy. But they were only guidelines, so every nation had the freedom to apply it or not, which resulted in a great variety data protection level amongst different EU member states.

2. Why does it concern even companies not based in Europe ?

The regulation will affect any firm dealing with EU business’, residents’, or citizens’ data. Even if a firm doesn’t have any presence in Europe, it will still have to comply with GDPR, and to understand the regulation’s impact on its EU resident’s personal data process.

The GDPR aims to protect the data of anyone, citizen or tourist, visiting the EU. So as long as any individual is in the EU, the personal information of this person is regulated by the GDPR.

A survey released in January 2018 showed that most of UK organizations haven’t heard about GDPR, only 38 % of them. And within the companies aware of the regulation, only 25 % of them has updated their processes to be GDPR compliant.

3. Is GDPR a threat for a company or a way to improve your business ?

Of course, there’s a cost for every company to be compliant with the regulation. Most of companies see GDPR as a constraint, they have a huge amount of data from their customers, coming from the customer himself during his journey or coming from other sources such as social media.But companies should seize the opportunity offered by GDPR to do business more efficiently, to secure their customers data and to be more competitive.

GDPR is an opportunity to strengthen your cybersecurity. The regulation request the ability to identify and report a data breach within 72 hours, which is one more reason to enhance your cybersecurity and avoid business downtime due to loss of data. A complete assessment of the entire IT infrastructure and building healthier data protection workflow have to be done, this will facilitate the security monitoring and improve your cybersecurity by reducing the surface attack.

Data Management is another area of improvement. Identifying the sensitive data of your customers and holding data only for a specific purpose are imposed by the regulation. Companies will have to audit all the data they have, it will highlight data that are obsolete, redundant or not used anymore. This will lead to a reduction of the amount of data stored and finally reduce the cost for storing and processing these data. A better organization of the data storage will also improve the productivity of your employees, this will enhance their access and searches of data, with more accurate data.

GDPR is a great opportunity to strengthen the relationship with your customer by being transparent with them on how their data are used. This is a very sensitive topic for customers, according to a survey conducted in 6 countries (China, France, Germany, Italy, United Kingdom, United States), half of citizens believe that their information is used for other purposes than those approved.

Marketing campaigns ROI will also be improved by GDPR. The database is cleaner by getting rid of all obsolete and redundant data, the customers give their specific consent for a specific purpose. This lead to a better audience that is really willing to get information or promotion from your company, and finally to a better conversion rate with the customers.

The new rules will also probably put pressure on companies to offer more protection for the rest of their users. Facebook, for example, has pledged to. Mark Zuckergerg said that he will extend the same protections to Americans that Europeans will receive under the GDPR.

4. Main differences with local laws in Singapore and Hong Kong

The impact of GDPR on businesses in Asia will depend on the gap between local laws and the GDPR. Let’s take a closer look at some of the main differences these countries have regarding GDPR :

  • Hong Kong (Personal Data Privacy Ordinance- PDPO)
  • Singapore (Personal Data Protection Act)
Concept GDPR Hong Kong Singapore
Sensitive Data “Sensitive Personal Data” are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sex life. No separate concept of sensitive personal data in the
PDPO
Non-binding guidance for sensitive personal data
No separate concept of sensitive personal data in PDPC
Consent Consent must be given by a statement or a clear
affirmative action.
Consent can be withdrawn at any time.
An indication of no objection is considered as consent
under the PDPO
An explicit consent is not required if the subject voluntarily provides its personal data for that purpose
Accountabilities Principles of accountability from data protection law are made mandatory by GDPR No notion of mandatory accountability principle In line with GDPR
Fines The greatest of 20 million euros (around US$24 million) or 4 percent of worldwide turnover Except for direct marketing offences, the fines Hong Kong
authorities can issue are low — HK$100,000 (US$12,780)
An organisation or person that commits an offence is liable to :
– In the case of an individual, to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 12 months or to both
– In any other case, to a fine not exceeding SGD $100,000 (US$74,470)

5. Practically, what does a company have to do to be GDPR compliant ?

First, you must consider the costs of raising awareness and training your employees. As GDPR is not yet clear for everyone, a real evangelization of your teams is necessary, especially for the top management, who can then transmit the information. The following step will be to deep dive into your customer journey and the different touch points you have with them : which information is collected, what are the touch points with your customer, are these touch points online or offline, how does the customer give his consent, is the information coming directly from your customer or from partners,which systems are collecting the information, for what purpose do you collect this information, where are these information stored,how long are these information stored…

The cost of that audit is related to the size of the company, the complexity of the system, the quantity of data stored…

The objective of that first step is to to have a data mapping and to understand how the data is processed. This first assessment will highlight the gaps you have with the regulation and identify the actions required to be compliant.

The following step is to list the actions that need to be achieved : make sure you are collecting an explicit consent from your customer for a specific purpose, store the consents properly so you can trace them, minimize the data you are collecting from your customers to the data you need to run your operations, to make sure you can delete all information from your customer. A database cleaning might be as well needed to make sure you only keep information relevant for your operations. Companies also have to be able to identify and report a data breach within 72 hours, to be able to produce a report…

There are also a lot of changes to implement on your website that will impact your customer journey, such as updating your T&Cs to warn your customers about the purpose of the data collection, prompting to your customer a message every single time you update your T&Cs, giving them to possibility to request for their personal information, to withdraw their consent for a specific usage, give the customer the possibility to close their account and erase all their personal information.

CIAM solution were already an answer for companies to securely capture and manage customer identity and profile data, and to control customer access to application or services. They provide features such as registration, login, account management, multi-factor authentication or SSO in order to achieve three purposes : let your customer in, recognize and protect them.

They have empowered their action zone to become solutions that will help your company to address most of topics to be GDPR compliant.

CIAM solution will help you to gather the consent of your customer as it should be requested when users are asked to input new personal data. They enable the automation of the presentation and recording of consent to agreements for T&Cs, privacy policies, cookies, direct marketing …

They also provides a version control of the consent that allow you to always have an up-to-date records of the consents given by all your customers. These consents and preference records can also be synchronized with the emailing apps of your architecture, so that all marketing campaigns of your company are compliant.

Storage of these consents and preference data is also handled by CIAM solutions, so that it is always available for a data protection impact assessments (DPIAs) as requested by the GDPR.

CIAM solution also provide measure to guarantee the “privacy by design & the data protection by design” with features such as encryption or pseudonymisation. It can also generate reports if a customer request for his information and it keeps a log of the consents given by the customer.

Conclusion

In conclusion, GDPR should be seen as an opportunity for companies to establish a relationship of trust with customers and engage them in a sustainable way.

The transparency imposed by the GDPR regarding the collection and the use of personal data and the full control given back to the customer about his information will enable to build a lasting trust between companies and their customers.

By gathering an explicit consent of your customer regarding the use of its data, and by explaining to your customer the exact purpose of this collection, that could be direct marketing, companies will have a better ROI because these campaigns will be an answer to a specific need expressed by the customer.

Companies should also use that opportunity to extend the protection given to EU subjects to all their customers, as a mark of good will to strengthen their privacy protection. Costs will be engaged in any case for EU subjects, and depending on the customer database, it could be also an opportunity to mutualise part of these costs and improve brand awareness.