GDPR: How much customer information held by a business is so old or out of date that it is no longer relevant or valuable? If a company has been trading for more than 20 years and has never actively cleaned or purged its data, I would be willing to bet that as much as 60% of the information it holds is effectively useless. The customer’s account may have closed, or the point of contact no longer works there.
So, why hold on to it? That is not just an academic question, now that the General Data Protection Regulation (GDPR) is almost upon us. As the biggest change to data protection rules in a generation, the regulation asks much more of organisations to ensure they protect individuals’ right to privacy. Complying with the regulation starts by organisations understanding what personally identifiable data they hold, and all the places where they store that information.
Earlier this year, the Office of the Data Protection Commissioner surveyed 500 businesses in Ireland about their preparedness for GDPR. It discovered that 67% of all businesses have not assessed what data they hold, and 57% have not asked themselves why they hold it. Although 69% of small to medium businesses have heard of the regulation, 78% had not identified actions they need to take to become compliant.
“Many companies will look at this as an opportunity to sanitise their databases, to keep only the information that is both usable and useful, and to store it in a manner that complies with the regulation”
GDPR comes into force from next May, but it is never too soon to start adopting a more structured approach; specifically, quantifying all the data a business holds, and eliminating any unnecessary records. Unlike some, I don’t see this task as a burden, but as a break from the old ways. I think many companies will look at this as an opportunity to sanitise their databases, to keep only the information that is both usable and useful, and to store it in a manner that complies with the regulation.
I think the more we talk about GDPR, the less ambiguity there will be around what the regulation obliges companies to do. The first thing to understand is just how broad the definition of personally identifiable information is: it includes HR files with staff details, sales and marketing/accounts teams are obvious areas but the regulation even includes images, web URLs and even IP addresses if they can identify an individual.
Once that ‘cleaning’ exercise is done, then it presents an ideal opportunity to talk to customers again—or in some cases, resume contacts with old ones. Under GDPR, businesses must obtain the correct permissions from customers for the data they hold about them. I think we are going to see a return to personal customer relationships and a reduced reliance on blanket mailing and databases. The full sales experience, in other words. Eliminating old records will make businesses more efficient; resuming contact with customers could identify leads and new revenue streams.
Legislation can be a powerful tool to drive a cultural change, so let us see GDPR in that light: a chance for organisations to embrace digital transformation.
Let us go back to our example of a business that has been going for two decades or longer: it is very likely that a fair percentage of the data they have is in paper format. Now is a perfect moment to consider a digital-first document strategy that scans paper forms at the point of entry. At Squareone, we provide Fujitsu A3 and A4 departmental document scanners, combined with document management tools from partners such as EASY Software. EASY’s German sister company, Otris Software AG, has been delivering a proven solution for the past 12 years, by meeting stringent requirements of German protection laws. Fujitsu has been working hard with software partners to help facilitate moving companies’ records from paper to digital ahead of GDPR’s arrival next year.
Moving to a paperless strategy delivers immediate business efficiencies and helps manage compliance with GDPR. Once the documents have been scanned, the business has controlled access to them. They are easily searchable, and access is locked down to only those users with appropriate permissions. An audit trail comes as standard, and data retention periods are controlled from day one. Both features meet requirements around proving compliance, as specifically laid out in GDPR.
There are barely six months left before data protection authorities across Europe start enforcing GDPR. All indications are that they will take non-compliance seriously. Even in relative terms, fines of up to 4% of annual turnover could cripple a small to medium sized business. And when there is commercial upside and business efficiency to be gained by becoming compliant, the choice to do the right thing by your data is a clear one.