Just about everyone agrees – business regulations are unpopular. Execs dislike the time and money they must spend investing in hardware and software to comply with those that they think don’t apply to their company, don’t help their customers, and don’t improve the business.
So, “as soon as I can get rid of it, the better,” is a pervasive attitude. Execs might decide to add some additional servers for extra security, but don’t generally see a need to go further.
The approach that many companies are taking to GDPR is akin to the Three Little Pigs fairy tale, where three pigs go out into the world, with the admonition from their mother to “do the best you can in life.” Well, the first two pigs are fun loving. They quickly build their houses of straw and sticks so they have more time to play. The third pig, who is a more serious, takes the time to build his house of brick.
When the Big Bad Wolf comes along, he quickly huffs and puffs apart the straw and stick houses into nothing, but can’t damage the brick house, which keeps the third pig very safe.
What do the three pigs have to do with GDPR? Well, the companies that don’t take the short cut to quick compliance but put GDPR efforts at the core of their business, will be the real winners. Not only will they be in compliance (avoiding those huge fines), but they will have made significant improvements to the structure of their business that can help the company become more efficient, productive and profitable for years to come.
GDPR will have a profound impact on businesses in Europe and the world over. (Yes, US companies … you need to pay close attention to GDPR.) That’s why it needs to be addressed in a thoughtful way that will allow you to transform your GDPR costs into an investment that benefits the business far beyond compliance and fine avoidance.
A do-the-least-possible approach isn’t advisable because:
- What you think is necessary for GDPR compliance initially may not take into account what’s needed down the road, leaving the company non-compliant and subject to fines later.
- Galloping through the initial effort with blinders on misses true business improvement opportunities that can result in growth and profitability.
Many of our customers have decided to use the GDPR initiative to make an investment in company improvements following the privacy-by-design approach.
Deloitte defines privacy by design as a “framework based on proactively embedding privacy into the design and operation of IT systems, networked infrastructure, and business practices”.
Here’s an example of how a company can benefit further from an initiative initially adopted for GDPR compliance using customer journey mapping.
For GDPR, you have to know when you ask people for information deemed ‘sensitive’, so that it can be deleted or forgotten later. That means you’ll have to determine the various customer touchpoints where your buyers are offering their personal information. It could be registering for email or text notifications about alerts from your bank, creating an account to check out for a purchase online, paying a bill online or doing a money transfer, etc.
If you have put in place the capability to determine the touchpoints where personal data is collected, it’s not much more effort to identify the rest of the customer touchpoints. This one exercise allows you to map the entire customer journey to understand the privacy implications as well as identify bottlenecks, dissatisfaction points and places where people may abandon transactions prematurely. Now you have a complete picture of the customer journey, so you can take a closer look into the trouble spots and make corrections to improve the customer experience.
It seems very worthwhile to use your GDPR initiative to employ privacy by design as a means to build a strong foundation for continuous process improvement that can help you attract and retain more customers.
In other words, don’t build your GDPR program out of straw or sticks, but use strong, solid bricks.