Every second, vast amounts of information are transmitted across the globe. The number of Google searches, social media messages, customer orders and emails sent in a mere 60-second time frame is truly phenomenal. Smart Insights recently revealed that approximately 3.3 million Facebook posts, 29 million WhatsApp messages and over 149,000 emails are sent every minute. With this rise in data flows and volumes, data protection and privacy have become vital components of business practice.

Data and the customer experience

Alongside the data revolution is a notable difference in customer experience (CX) programmes, with personalisation strategies and functionality becoming core components of CX today. Coca Cola’s ‘named’ bottles took the social media world by storm when they were first introduced, and Amazon regularly provides customers with customised content. In order to meet the customer demands of today, businesses are collecting and analysing more and more personal customer data.

Importance of data protection and privacy laws

While the internet is recognised as critical for the majority of economic and social activities across the globe, policymakers and consumers are becoming increasingly aware of its vulnerability. The only way citizens and consumers will have confidence in both government and businesses, is if there are strong data protection laws and regulations in place.

While there are common themes and similarities to the laws introduced by different countries, there are also variations in the levels of security, requirements, penalties and even interpretations by regulators and auditors. To effectively safeguard personal information across markets worldwide, global operating companies must understand all risks and legal responsibilities across a range of data protection laws.

Difference in global data protection laws

The European Union (EU) has stood out for its comprehensive approach to data protection in recent years. The General Data Protection Regulation (GDPR), effective from early 2018, will impact any business selling goods and services in Europe specifically those that store, process or transfer any kind of personal data of EU. The regulation will revamp the way information is collected from customers and used by businesses and is expected to cement privacy rights for 500 million EU residents.

Under the GDPR, Member States are given some flexibility to pass local laws and further specify the GDPR’s application. Germany, already known to have the most stringent data protection laws, is the first to do so, and more EU Member States are expected to follow soon. While harmonisation is the ultimate goal of the GDPR, there are still going to be some variations between member states.

The German Federal Parliament recently adopted the new German Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG) effective from May 2018. The new BDSG intends to protect personal data from being processed and used by federal authorities and private bodies. It further imposes specific data processing requirements with respect to video surveillance, and consumer credit, scoring and creditworthiness.

France, however, protects data privacy of its citizens through The Data Protection Act (DPA) of 1978 (revised in 2004) and applies to the collection of information used to identify anyone. The rules apply to anyone collecting data located in France or those carrying out activities in an establishment in France.

How can companies cope with global disparities in data protection?

A recent Veritas survey of technology decision makers, noted that individuals responsible for implementing a GDPR process also face a variety of risks if data is not handled properly. The survey showed that close to 40% of companies were fearful of a major compliance failing within their business, and just under one-third (31%) were concerned about reputational damage from poor data policies. Given existing variations in implementation, companies will need to focus not only on the GDPR itself, but also on national law, as they prepare their compliance efforts. Given that the UK has one of the largest economies in the world, it is undeniable that these strict laws will have an impact on global business operations.

In order to continue executing superior customer experience strategies that mirror demands of personalisation today, decision-makers must be wary of the differences in data protection laws in different markets. In practice, the first step towards successful compliance will be for businesses and their respective decision makers to know where their information resides and from where it’s being accessed. For companies with different office locations, the challenge will be working out which part of the data these changes apply to and determining which information currently residing in branches will have to be centralised to a geographical location compliant with the law.

Global and local businesses must ensure that any form of customer data is collected and stored in compliance with different countries’ data protection laws. Tokenisation is one way to do this. In this process, customer feedback is stored on a server hosted within the approved geography. Any data that is categorised as personal is encrypted and stored via a sophisticated cloud service housed on a server in the same or another approved geography, and then a token representing that data is created. When required, that personal data can be utilised on the fly from the cloud service using the associated token and presented directly to the requestor without being stored on any other servers.

It is vital that businesses allocate resources and educate themselves on the steps needed to comply with future regulations. Conducting comprehensive risk assessments in 2017 can help companies identify and fill gaps in existing data protection programmes. It is important to understand that some may need a full year to remediate, implement and test compliant procedures and policies, which may even include the purchase of new technology.



By James Bolle, vice president and head of client services EMEA at InMoment

GDPR Summit Series is a global series of GDPR events which will help marketers to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond. Further information and conference details are available at http://www.gdprsummit.london/

comments powered by Disqus