A Driving Force of 'DATA LEAN' Organisations
GDPR presents a unique opportunity for organisations to benefit from becoming “Data Lean”. This is a complete reversal of the current business mind-set where organisations collect maximum data about their current and potential customers because they believe it helps them to understand their needs better. The days of unauthorised data mining for upselling / cross selling certainly are numbered.
GDPR compliance necessitates organisations to change their business practices and data management systems. For example:
- Data Minimisation: The concept of data minimisation requires that only necessary data is collected as relevant to the business objective of the activity. Today organisations manually and automatically collect unnecessary data from customers so they have the option to mine it for future business purposes. Under GDPR, Data Controllers would be prohibited in collecting unjustified large data sets.
- Rights of Data Subject & Responsibilities of Organizations: GDPR grants individuals the right to enquire and seek all their personal details with the organisation to be provided within 30 days. Similarly, individual’s right to be forgotten implies an individual may demand deletion of all his/her personal data in all systems with the organisation. In order to comply, organisations will require all of their databases that contain personal data to be integrated or centrally managed across modern and legacy systems. Hence the limited the number of databases that store personal data the simpler the life for data controllers and processors.
- Data Processing, Sharing & Consent: GDPR requires organisations to seek individual consent for the purpose(s) that their personal data shall be used. It also requires explicit consent on sharing of data with 3rd parties and associates. Specific and Explicit consent provisions tie the hands of the organisations to “creative analytics” of personal data. It also limits organisation freedom to data partnerships for cross sales. Stretching the use of data to gain marketing leverage would certainly encourage individuals to use their right to object and/or withdraw consent.
- Data Relevance and Deletion: GDPR requires organisations to inform individuals how long their personal data shall be retained at the time of collection. To comply - organisations will need to envisage the time utility of data before the data collection activity and delete data after it has completed the committed time-frame. Alternatively, individuals are empowered to demand deletion at any time. This balance of rights would ensure that organisations only keep relevant data with themselves and adopt an effective data deletion policy.
GDPR compliance will drive organizations to maintain only necessary personal data which they need for agreed business purposes. While the cost of storing data is declining the cost of managing and safeguarding isn’t.
The advantages of becoming “Data Lean” include limited exposure to data loss issues, customer liabilities, regulatory wrath and goodwill damages as well as reduced cyber insurance premiums for compliant organisations.
Susheem is a Lead Consultant with 15 years of experience in Risk Management and Business Transformation Advisory with the services industries. He is a specialist in the GDPR and EU privacy regulations.