{"id":22592,"date":"2018-01-15T17:38:00","date_gmt":"2018-01-15T17:38:00","guid":{"rendered":"https:\/\/www.bloomreach.com\/library\/gdpr-a-nightmare-for-cio-cdos-or-a-dream-come-true"},"modified":"2024-09-17T10:14:37","modified_gmt":"2024-09-17T10:14:37","slug":"gdpr-a-nightmare-for-cio-cdos-or-a-dream-come-true","status":"publish","type":"library","link":"https:\/\/www.bloomreach.com\/en\/blog\/gdpr-a-nightmare-for-cio-cdos-or-a-dream-come-true","title":{"rendered":"GDPR: A Nightmare for CIO\/CDOs \u2013 Or a Dream Come True?"},"content":{"rendered":"<p>If you\u2019re responsible for information, data, or digital strategy and your firm has any business in the EU, the <a href=\"http:\/\/go.www.bloomreach.com\/How-GDPR-Will-Change-the-Dynamics-of-CX.html\">GDPR<\/a> should be keeping you up at night \u2013 and stalking your dreams when you slumber. With the May 25, 2018 enforcement data looming, it may be time for companies without well-advanced preparations to enter panic-stricken fire drill mode. &nbsp;<\/p>\n<p>Still, maybe you\u2019re resting easy. After all, the thing is called the General Data Protection Regulation \u2013 and your firm employs security pros for data protection and a binder full of lawyers for regulatory issues. What\u2019s it got to do with digital strategy and engagement?<\/p>\n<p>&nbsp;<\/p>\n<h3>A Nightmarish Disruption to Business As Usual<\/h3>\n<p>Well, plenty. While it\u2019s normally a very bad idea to poke a hibernating bear with a sharp stick, let\u2019s take a look at some of the bedtime stories that might be helping you sleep \u2013 and delaying a proper response. &nbsp;<\/p>\n<ul class=\"checks checks--large checks--orange\">\n<li>\n<p><strong>It\u2019s just another burdensome compliance layer.<\/strong><\/p>\n<\/li>\n<\/ul>\n<p style=\"margin-left:40px\">As a CIO or CDO, you probably don\u2019t worry too much as Sarbanes Oxley, or the payment card industry data security standards (PCI-DSS) \u2013 and you shouldn\u2019t. But, despite its name, the GDPR is <a href=\"https:\/\/contentadvisory.net\/many-smart-people-stupid-gdpr\/\" target=\"_blank\" rel=\"noopener\">nothing like those kind of compliance requirements<\/a>. &nbsp;<\/p>\n<p style=\"margin-left:40px\">Instead of an isolated issue concerning financial reporting or electronic payments, the GDPR addresses every single use of the personal data of EU residents \u2013 and thus cuts to the very core of today\u2019s digital business operations.<\/p>\n<ul class=\"checks checks--large checks--orange\">\n<li><strong>The Privacy Shield will protect US firms.<\/strong><\/li>\n<\/ul>\n<p style=\"margin-left:40px\">Edward Snowden\u2019s 2012 revelations about pervasive government snooping and surveillance further exacerbated long-standing EU concerns about transfers of personal data to the US. The Privacy Shield framework (PSF) is intended to allow US firms to \u201cself-certify\u201d that they provide an adequate level of protection for the personal data of EU residents.<\/p>\n<p style=\"margin-left:40px\">But it is dangerously misleading to believe that PSF certification will <a href=\"https:\/\/www.businesstravel-iq.com\/article\/blog\/kevin-iwamoto\/2017\/06\/05\/kevin-iwamoto-are-privacy-shield-members-exempt-from-gdpr\" target=\"_blank\" rel=\"noopener\">\u201cexempt\u201d firms<\/a> from the GDPR. In fact, international data transfers are addressed in less than 10% of the regulation (seven out of 99 Articles).<\/p>\n<p style=\"margin-left:40px\">Whatever the fate of the Privacy Shield \u2013 it is <a href=\"https:\/\/www.theregister.co.uk\/2017\/10\/03\/schrems_busts_privacy_shield_wide_open\/\" target=\"_blank\" rel=\"noopener\">under review<\/a> at the European Court of Justice and <a href=\"https:\/\/diginomica.com\/2017\/03\/06\/can-privacy-shield-survive-another-executive-order-trump\/\" target=\"_blank\" rel=\"noopener\">increasingly threatened<\/a> by the current hardline US administration \u2013 US companies still have to meet all of the other data processing principles and new data subject rights spelled out in the GDPR.<\/p>\n<ul class=\"checks checks--large checks--orange\">\n<li>\n<p><strong>It\u2019s all about revising our privacy policy and terms and conditions.<\/strong><\/p>\n<\/li>\n<\/ul>\n<p style=\"margin-left:40px\">This fairy tale has a nugget of truth. The GDPR requires that consent requests and notifications must be \u201cclearly distinguishable from other matters\u201d and presented \u201cin an intelligible and easily accessible form, using clear and plain language.\u201d<\/p>\n<p style=\"margin-left:40px\">That\u2019s in direct contrast with the established habit of burying the privacy policy in long, opaque, and hidden T&amp;Cs that are designed to discourage reading, let alone comprehension. (PayPal\u2019s T&amp;Cs are \u2013 or at least were \u2013 <a href=\"http:\/\/www.dailymail.co.uk\/news\/article-2118688\/PayPal-agreement-longer-Hamlet-iTunes-beats-Macbeth.html\" target=\"_blank\" rel=\"noopener\">longer than Shakespeare\u2019s Hamlet<\/a>.)<\/p>\n<p style=\"margin-left:40px\">But beyond putting marketers and CX experts in charge of writing consent requests (as I argued at&nbsp;Bloomreach\u2019s recent <a href=\"https:\/\/twitter.com\/mathijsbrand\/status\/938784326833070082\" target=\"_blank\" rel=\"noopener\">Connect event in Amsterdam<\/a>), firms will also have to practice \u201cdata protection by design and default\u201d (DPbD).<\/p>\n<p style=\"margin-left:40px\">Practically, this means that every business process that in any way touches EU personal data must have privacy and data protection <a href=\"https:\/\/contentadvisory.net\/gdpr-design-challenge-open-letter-designers-agencies\/\" target=\"_blank\" rel=\"noopener\">\u201cbaked in\u201d from the very beginning<\/a> \u2013 literally from the moment a marker first touches a whiteboard in a digital strategy or customer engagement brainstorming session.<\/p>\n<p style=\"margin-left:40px\">Moreover, demonstrating the commitment to DPbD entails embracing the \u201cprocessing principles\u201d of Article 5, which include the requirement for \u201cdata minimization\u201d \u2013 using the smallest possible amount of data for the shortest possible time and deleting it as soon as possible afterwards.<\/p>\n<p style=\"margin-left:40px\">That is, to say that least, out of sync with today\u2019s digital \u201cbest practices\u201d that encourage firms to collect as much data as they can and reuse it without limit.<\/p>\n<p>&nbsp;<\/p>\n<h3>A Dream Realized (At Last)<\/h3>\n<p>But wait . . . putting customers at the center of your business? That sounds very much like the elusive goal pursued by most business for the last decade, celebrated by Forrester as the \u201c<a href=\"https:\/\/go.forrester.com\/blogs\/12-05-22-outside_in_the_power_of_putting_customers_at_the_center_of_your_business\/\" target=\"_blank\" rel=\"noopener\">outside-in<\/a>\u201d approach that is a prerequisite in an environment where the quality of the customer experiences you offer matter far more than the features of your product.<\/p>\n<p>But a funny thing happened on the way to the customer experience revolution. Namely, it didn\u2019t happen. Accenture\u2019s 2017 Global Consumer Pulse Research again confirms what their annual surveys \u2013 and other key sources like Forrester\u2019s <a href=\"https:\/\/go.forrester.com\/blogs\/the-us-customer-experience-index-for-2017-cx-quality-worsened\/\" target=\"_blank\" rel=\"noopener\">CX Index<\/a> \u2013 have documented for years: despite all of the time, effort, and budget expended on improved CX, consumers are less satisfied with the experiences they are offered.<\/p>\n<p>Indeed, Accenture <a href=\"https:\/\/newsroom.accenture.com\/news\/us-consumers-turn-off-personal-data-tap-as-companies-struggle-to-deliver-the-experiences-they-crave-accenture-study-finds.htm\" target=\"_blank\" rel=\"noopener\">diagnoses a \u201cvicious circle.\u201d<\/a> Consumers expect and demand ever more personalized and relevant experiences but at the same time they are anxious and concerned about how their data is collected, used, and shared.<\/p>\n<p>(And, we could add, they are ever more willing to act on their concern by deploying ad- and tracking-blockers, activating advanced privacy settings in browsers, and providing fake information in online forms.)<\/p>\n<p>In other words, there is a gap \u2013 if not a yawning abyss \u2013 between the qualities consumers desire in their interactions with sellers (e.g., a sense that they are known, recognized, and valued) and the way sellers have developed to deliver those qualities (e.g., rampant data collection, aggregation, and tracking).<\/p>\n<p>By insisting that consumers should be in control of their own data \u2013 that is, by effectively making customer-centricity a legal requirement \u2013 the GDPR breaks the vicious circle, interrupts the dogmatic slumber of so-far ineffective customer experience management, and opens a new path that can allow sellers and buyers to build trust-based, mutually beneficial relationships.<\/p>\n<p>That\u2019s a journey that can\u2019t seriously get started without the leadership of CIOs and CDOs.<\/p>\n<p>&nbsp;<\/p>\n<p><em><sup>1<\/sup>The final text of the GDPR is available in English and 23 other languages at <a href=\"http:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/?uri=consil:ST_5419_2016_INIT\" style=\"background-color: rgb(255, 255, 255);\" target=\"_blank\" rel=\"noopener\">http:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/?uri=consil:ST_5419_2016_INIT<\/a>. On the conditions for consent, see Article 7 and Recital 32.<\/em><\/p>\n<p><em><sup>2<\/sup>GDPR, Article 25 and Recital 78. The practice is better known as privacy by design.<\/em><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you\u2019re responsible for information, data, or digital strategy and your firm has any business in the EU, the GDPR should be keeping you up at night \u2013 and stalking your dreams when you slumber. With the May 25, 2018 enforcement data looming, it may be time for companies without well-advanced preparations to enter panic-stricken [&hellip;]<\/p>\n","protected":false},"author":138,"featured_media":16842,"template":"","ew-regions":[],"ew-solutions":[],"library_type":[513],"library_blog_tag":[],"industry":[],"channel":[],"topic":[],"class_list":["post-22592","library","type-library","status-publish","has-post-thumbnail","hentry","library_type-blog"],"acf":{"library_blog_banner_content":"","library_blog_banner_cta1_text":"","library_blog_banner_cta1_href":"","library_blog_banner_cta1_new_tab":false,"library_blog_banner_cta2_text":"","library_blog_banner_cta2_href":"","library_blog_banner_cta2_new_tab":false,"library_blog_banner_bg_color":"#EAF7FE","library_blog_banner_cta_text_color":"#FFF","library_blog_banner_cta_bg_color":"#019ACE","library_blog_banner_cta2_text_color":"#000","library_blog_banner_cta2_bg_color":"#FFF","library_blog_chatgpt_content":"","library_blog_chatgpt_cta_href":"","library_blog_chatgpt_cta_text":"Ask ChatGPT"},"_links":{"self":[{"href":"https:\/\/www.bloomreach.com\/en\/wp-json\/wp\/v2\/library\/22592","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.bloomreach.com\/en\/wp-json\/wp\/v2\/library"}],"about":[{"href":"https:\/\/www.bloomreach.com\/en\/wp-json\/wp\/v2\/types\/library"}],"author":[{"embeddable":true,"href":"https:\/\/www.bloomreach.com\/en\/wp-json\/wp\/v2\/users\/138"}],"version-history":[{"count":1,"href":"https:\/\/www.bloomreach.com\/en\/wp-json\/wp\/v2\/library\/22592\/revisions"}],"predecessor-version":[{"id":49888,"href":"https:\/\/www.bloomreach.com\/en\/wp-json\/wp\/v2\/library\/22592\/revisions\/49888"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.bloomreach.com\/en\/wp-json\/wp\/v2\/media\/16842"}],"wp:attachment":[{"href":"https:\/\/www.bloomreach.com\/en\/wp-json\/wp\/v2\/media?parent=22592"}],"wp:term":[{"taxonomy":"ew_regions","embeddable":true,"href":"https:\/\/www.bloomreach.com\/en\/wp-json\/wp\/v2\/ew-regions?post=22592"},{"taxonomy":"ew_solutions","embeddable":true,"href":"https:\/\/www.bloomreach.com\/en\/wp-json\/wp\/v2\/ew-solutions?post=22592"},{"taxonomy":"library_type","embeddable":true,"href":"https:\/\/www.bloomreach.com\/en\/wp-json\/wp\/v2\/library_type?post=22592"},{"taxonomy":"library_blog_tag","embeddable":true,"href":"https:\/\/www.bloomreach.com\/en\/wp-json\/wp\/v2\/library_blog_tag?post=22592"},{"taxonomy":"industry","embeddable":true,"href":"https:\/\/www.bloomreach.com\/en\/wp-json\/wp\/v2\/industry?post=22592"},{"taxonomy":"channel","embeddable":true,"href":"https:\/\/www.bloomreach.com\/en\/wp-json\/wp\/v2\/channel?post=22592"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.bloomreach.com\/en\/wp-json\/wp\/v2\/topic?post=22592"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}