GDPR and the End of Reckless Data Sharing

The European Union’s General Data Protection Regulation (GDPR) will put every company with a digital strategy at risk of significant financial penalties. Any company that processes any personal information on EU citizens—whether as customers, employees, or business partners—and fails to comply, could face fines up to four percent of their annual global revenues, as well as severe reputational damage. And compliance will require much more than simply encrypting this data.   

The GDPR, which kicks in on May 25 of this year, harmonizes national data-protection laws within the EU. It seeks to ensure that personal data is protected against misuse and theft and gives EU citizens control over how their data is used.

Most companies today are at risk of non-compliance, since few, if any, actually have full control over their customer’s data. While many organizations have made strides in protecting the data that sits in their primary repositories, they might not take into account the myriad ways in which they share that information today. Companies are more reliant on ecosystem partners and technology providers than ever before, and the looming GDPR deadline underscores a broken model of data sharing among companies and their partners.

The scope of the GDPR is far-reaching, covering any information that can be linked to an identifiable individual (search engine queries, employee authentication, payment transactions, closed-circuit-television footage), in any format (structured or unstructured) and held in any medium (online, offline, or backup storage). As a result, the scope of data protection, companies must now put in place must be much broader than that under current standards.

Hope is not a strategy

Most companies must share data with their suppliers, customers, insurers, distributors, and advisors to compete and deliver superior customer experience today. And they share that data in one of three ways, none of which fully protects it:

  • Pass the data fully over to the partner with a legal contract detailing the degree to which the partner must apply protections to the data. However, that does not ensure that the partner will comply 100 percent.
  • Encrypt the data and grant access with passwords, which helps protect the data from hackers and others who may attempt to access the data, but once the files have been given to the trusted third party, it might be duplicated, shared with other systems, or otherwise exposed .
  • Programmatically grant access to the data via an application programming interface (API), which is a more automated approach to data sharing. The API method, nonetheless, typically leaves the partner with the ability to store the shared data locally or duplicate it, again risking exposure.

In effect, companies are simply trusting—and hoping—that their partners will properly protect customer data. The forthcoming GDPR laws, however, make clear that such hope will not be an effective strategy for compliance.

The cloud is not a panacea

Ecosystem partnerships are not the only weak link in the data-protection chain. Companies also face significant data-exposure risk because of the software and service providers that have access to their customer data.

An increasing number of companies today use software-as-a-service (SaaS) solutions for sales, customer service, ecommerce, email, and more to improve their agility, responsiveness, and customer experience. Unfortunately, many business users sign up for these services without a clear understanding of whether the provider can comply with the GDPR or other data regulations. They quickly accept the terms of service without reading through the multiple pages of eight-point text detailing the rights they have granted the technology provider—a partner that may not be eager to stand by their side in court for exposing personally identifiable information. So, while many will argue—and rightly so—that major providers of cloud services spend more on data privacy and security than a single company could afford to invest in its own data center, third-party solutions must, nevertheless, be scrutinized.

A responsible approach to data sharing

What companies must do to address these risks, ultimately, is to take full responsibility for the protection of their customer data—wherever it goes, wherever it resides. That’s no small task in an era in which data sharing within digital ecosystems is all but a requirement to thrive in today’s marketplace. Every company must work collaboratively within its ecosystems to ensure compliance, understanding that protecting customer data remains its responsibility—even when it is in their partners’ possession. Some actions companies can take to handle this include:

Create a cross-functional GDPR task force. Most GDPR programs lack clear ownership. Ensuring compliance requires an approach that cuts across functions and businesses units. Stakeholders who understand that current state of data sharing and associated risk—legal, compliance, line of business leaders, IT, risk management, information security—must commit to, and share responsibility for, a road map for change. Senior leadership approval and buy-in is vital so that the program is securely anchored to your company’s overall strategy.

Map the customer data-sharing journey. McKinsey & Company has advised that companies build what it calls a “golden record” of personal data processing: where it comes from, what is done with it, what the regulations are for processing it, and with whom it is shared.

Employ data hubs with secure connections. Companies can store customer data in systems they control, such as co-location data hubs in the metropolitan areas where the company operates, for example, and employing private, secure interconnections with partners, ecosystems, or cloud service providers. In this way, third parties can query the system for required customer information without gaining full access to the customer’s personal or private data.

Share insights instead of data. An even more secure approach is to shift the focus from data sharing to “insight sharing”—in other words, passing along the data-derived intelligence required to deliver an effective customer experience rather than the data itself. For example, if a reseller needs to know how many customers in what cities have inquired about a new product offering, the company can provide aggregate results that detail the location and types of customers without exposing names or contact information. This approach empowers the ecosystem without exposing sensitive data and putting you at risk for GDPR non-compliance.

If your company’s customer data is exposed, it is unlikely to matter to GDPR enforcers that it was the result of a lapse on the part of a business partner or technology provider; your company will be held responsible for compliance. Now is the time for global firms to reassess their data sharing processes—or risk major consequences.