2 new business processes key to GDPR compliance

With the rise of the European Union’s General Data Protection Regulation (GDPR), your customers’ personal data is about to gain a great deal of value. As that happens, your organization will need not only new technologies, but also new processes and behaviors.

We’ve all become more active users of the internet and mobile channels. As we use these technologies in our daily lives, our every keystroke, download and conversation is now digital — and therefore capable of being captured, stored and analyzed, forming our online identity.

If we care about how we’re perceived, profiled and treated in our digital world, we’ll want to protect every aspect of our identity, as well as the data behind it. Personal data could become the currency of the future, and we need to reflect on how this currency is managed.

Identity is the New Money, a book by David Birch, predicted this new direction as early as 2014. As the book points out, to take advantage of this new value, we’ll need new processes and behaviors. Done right, these changes will also create new opportunities for delivering benefits to our customers.

The EU’s new data-privacy rules go into effect in May 2018, which is soon. Compliance will be mandatory for every organization — no matter where it’s based — that serves customers who are EU citizens. If an organization fails to comply, it could face EU fines of either €20 million or up to 4 percent of its annual revenue, whichever is higher.

Of course, before the full wrath of this penalty is imposed, we’d expect there to be evidence of gross negligence and possibly repeat violations. But we should not underestimate what could happen.

The new GDPR requirements are complex, and compliance will be no small task. But smart business and IT leaders will treat compliance as just the first step in a set of tasks that are even bigger and potentially more important.

Step 1: Management of Change

Processes are the key to GDPR compliance. They’re also the key to protecting and retaining your organization’s most important customer and employee data.

The way your organization collects, stores, manages and even deletes customers’ personal data involves processes. But just throwing new technology at these processes won’t be enough to ensure GDPR compliance. You’ll also need to change the decisions, behaviors and actions of your people who are part of these processes. That includes the marketing activity that targets and attracts customers, how you collect and store their personal data, how you inform customers, and how you manage customer expectations regarding what their information will be used for. In short, you’ll need to run the business differently.

For example, GDPR requires organizations to be able to locate, isolate and destroy customer data on request when technically possible. That’s information many organizations currently retain without a clearly defined data-destruction policy.

To meet this requirement, someone in the organization will need to decide that this data will be destroyed. Someone else will need to actually have it erased. And someone else will need to confirm the erasure to the customer’s satisfaction.

These are not only new processes, but also new sets of actions. What’s more, they’re actions that require training. Your organization will need to explain these changes, as well as the new impacts and responsibilities, to all its employees.

Step 2: Opportunities for customer benefit

How you handle your customers’ personal data is increasingly important to the business. In fact, your ability to keep customer data secure and private is now a market differentiator. Given a choice, today’s customers prefer suppliers they believe will protect their personal data. And they avoid suppliers they believe will not, or cannot, protect them.

In the past, customer data was considered free, almost valueless. But with GDPR, among other changes, the value of customers’ personal data is rising fast. It’s now an asset to be protected, shared only with permission, and anything but permanent.

For example, under GDPR rules, when switching mobile operators, a consumer will be able to demand that their former operator remove all their personal data from its files if the operator has appeared negligent — say, by having multiple security breaches in the past, resulting in the theft of customer data.

These kinds of requirements will also place new burdens on organization’s data processes. For instance, GDPR will require that organizations be able to both locate every instance of a customer’s data in their files, and then delete that data at the customer’s request.

Also, as the value of personal data rises, people will treat it differently. Employees will be more vigilant about their personal data’s protection. Customers will more frequently exercise their new rights. And managers will need to create new data strategies. It’s even conceivable that data-erasure is something customers will be willing to pay for.

In response, your organization will need to care about the value of your customers’ data, too. “We will protect your data” will be an increasingly powerful brand message, one that a growing number of customers will actively seek out.

For many organizations — even those with a long history of maintaining customer data — all this represents a new direction. Let GDPR compliance be your first step on this new path.

Ready for new business processes with GDPR? Visit us today at: dxc.com/gdpr

This post is the third in a three-part DXC blog series, “Accelerating GDPR Compliance,” exploring the implications of the European Union’s new General Data Protection Regulation. View Part 1, Accelerating GDPR readiness and Part 2, Getting analytics right for GDPR compliance – and beyond.

Jon GudelisJon Gudelis, P.Eng., COP, is managing partner, industry and analytics consulting, at DXC Technology. He leads a team of industry experts that help customers address the business challenges of digital transformation. Jon’s background in financial services spans sovereign lending, retail and commercial banking operations, and technology-enabled business transformation.


Accelerating GDPR readiness: Now’s the time to get started

Getting the analytics right for GDPR compliance – and beyond

L is for legal


  1. […] 2 new business processes key to GDPR compliance […]

  2. […] 2 new business processes key to GDPR compliance […]

  3. […] 2 new business processes key to GDPR compliance […]

This site uses Akismet to reduce spam. Learn how your comment data is processed.