After two years of anticipation, the General Data Protection Regulation 2016 (GDPR) came in to force on 25th May 2018. Prior to this, the last impactful piece of data protection legislation was the Data Protection Act 1998. Since then, the technological landscape has evolved immeasurably, and businesses are constantly seeking new avenues within which to get ahead of competition. With a majority of organisations admitting that they simply were not ready for the evolutionary move in the world of data protection that is GDPR, it might have been difficult to see the positive impact that this piece of legislation could have not just in relation to data protection, but upon business as a whole. Not only does GDPR evolve the way in which personal data is protected, it acts as a foundation for wider development in customer relations.
If you ask any well-meaning business, they will confirm that the consumer is at the heart of everything that they do. This ethos is reflected by GDPR in that the data subject (i.e. consumers) is at its epicentre and the very reason for its existence. The legislation is quite openly aimed at businesses and consumers alike, entrenching the harmonisation of individuals’ rights, but it is most important to remember that at a basic level, the GDPR allows consumers to take back control over their personal data. Data protection provisions can no longer be embedded within terms and conditions which are as equally confusing as the provisions themselves – with data subjects now having the right to know where their personal data is and what it is being used for, the attentions of businesses should now be turned to the attraction of consumers through compliance with data protection laws.
Those viewing GDPR as a costly compliance exercise are largely missing the strategic point of the legislation. It is encouraging businesses to embrace the dynamic of power and understand the new context of the customer relationship, allowing the control over personal data to flow freely back into the hands of the data subject. Moving with this shift without restriction is the first step in businesses building trust with consumers, and consequently making the first move in improving customer relations.
Customer service, much like data protection, is not a new founded concept and the aim is not to re-invent the wheel. The existing data protection measures are being built upon, and so most of what businesses do already will lend itself to an easier transition into GDPR territory. Consumers generally are competent at recognising when they have been wronged in relation to both data protection and customer service, and so the time is now to recognise that both go hand in hand to serve as a catalyst in improving the relationships between consumer and business. GDPR encourages businesses to consider ‘what would the consumer expect?’, ensuring that the gravity for all decision-making is the protection of consumers’ personal data.
GDPR confers eight rights upon data subjects, all of which must be facilitated by businesses in order to avoid financial penalties and other corrective measures from the Information Commissioner’s Office (ICO). In some cases, these rights merely enforce a legal obligation upon businesses to act upon the requests of consumers in the same way as they would have done per-GDPR. Take the right to rectification: any organisation which is interested in delivering an effective service would immediately act on an instruction from a customer to update personal information which is directly linked to service provision. Rectifying incorrect or out of date details is a simple request which businesses deal with every day without question. This is common sense. However, under GDPR the failure to act upon such a request from a customer could see cause of action from the ICO. This example highlights how GDPR is indirectly pushing businesses to deliver good customer service. That has to be a positive side effect.
Taking a more holistic view, the maximum penalty bracket under GDPR is 4% of global annual turnover, or €20 million. This higher level of fine is aimed at those businesses whom fail to facilitate the rights of data subjects. At a lower level, there could be serious consequences should businesses not act in accordance with the best interests, or upon the instructions of, their consumers. In the background, GDPR is encouraging businesses to do more for their customers, and the enhanced levels of data protection in turn build trust within that relationship.
With the world becoming ever more concerned about its personal data, and who is doing what with it, data protection is quickly becoming an important comparison point for consumers examining in contrast competitor businesses. Compliance with GDPR, and demonstrating a commitment to data protection by design and default will soon not only become an important factor for consumers when making their choice of service providers, but it will assist in the growth of many businesses due to the increasingly significant importance of personal data to business development.
Whilst GDPR has been the largest legislative hoop for businesses to jump through in a long time, it is clear that even this compliance cloud has a silver lining. GDPR aims to futureproof data protection; it is here to stay. And so rather than admitting defeat, businesses should take into consideration the underlying benefits of complying with this new legislation. It is clear that compliance with GDPR, and enhancing existing data protection measures, will in the short term improve customer relations. Looking ahead, compliance will serve to give businesses a competitive edge in their markets as consumers become increasingly demanding of trustworthy data protection.
For more information visit the Brookson Legal website.
Blog written by Joe Tully, Managing Director – Brookson Legal Services