Forrester Principal Analyst Fatemeh Khatibloo examines the impact of the new General Data Protection Regulation (GDPR), which rewrites privacy rules and converts privacy as a human right to a force of market disruption.
Fatemeh Khatibloo, Principal Analyst
One year. That is how much time companies have to internalize and act on the far-reaching new set of privacy rules formed via the GDPR. Every organization doing business with EU customers — regardless of its location — will need to make changes to its oversight, technology, processes, and people to comply with the new rules.
It is hard to overstate the impact of GDPR. Take one point: data. For most industries and companies, data is the new currency, enabling companies to create new customer value, products, and experiences. But GDPR vastly complicates that equation.
Thanks to the new regulation, EU citizens have the right to be forgotten. That means, upon a customer’s request, companies will need to wipe clean (and certify those results) all of that customer’s data across the enterprise — including all systems of record, systems of insight, and systems of engagement — raising the bar for data governance well beyond most companies’ capabilities. Organizations are still working to understand, federate, and use diverse, dispersed, and dynamic customer data. However, by May 25, 2018, companies need to be able to work at scale and with precision to erase all data on a single customer and certify that result.
Forgetting customers is only one of six core mandates of GDPR. GDPR also requires companies to:
- Notify the relevant data protection authority of a breach within 72 hours.
- Forget a customer when requested by the customer (as noted above).
- Remove ambiguous consent of data collection; consent opt-in will remain the default option.
- Relate the collection and/or processing of personal data to one or more specific purposes.
- Positively verify that someone is of legal age to sign up for service (giving children the explicit right to privacy).
- Expand privacy accountability and liability to all partners in the ecosystem.
The combination of empowered customers and the pace of digital disruption, let alone the growing specter of cyberthreats, is a potent brew that will put companies on the defense. GDPR adds a layer of complexity to the mix that will severely test companies.
In this episode, Fatemeh Khatibloo describes the implications of GDPR and provides pragmatic guidance on how companies can prepare for compliance.