Will you be a GDPR hero — or a GDPR victim?
Choosing the wrong systems and partners always has negative business impact. The risks associated with poor choices are now even higher for organizations that market goods and services to European residents or track their behaviors – that is, for those that must comply with General Data Protection Regulation (GDPR) in just 253 calendar days.
By now we’re all familiar with the substantial fines associated with ignoring GDPR compliance or taking a wait-and-see attitude: €20 million or 4% of the company’s global turnover, whichever is greater.
But wait … there’s more.
Selecting or working with the wrong vendor could itself be a violation. Article 25 of the GDPR outlines provisions for data protection by design, also referred to as privacy by design. This provision requires that data protection be embedded into technologies or business process from the outset. Data protection and privacy measures cannot be bolt-ons or afterthoughts. To put it simply, your organization may be at risk of GDPR non-compliance if your vendors and partners can’t demonstrate the ability to help you meet your data protection and privacy requirements. Your chosen partners can make you a GDPR hero – or a GDPR victim.
Note, too, that the provision isn’t just about system design. It applies to process design, too. When marketers create a new customer journey map or develop a new campaign, they must embed data protections and privacy into their design. Marketers can’t assume that they’ll throw GDPR-compliant customer data management over to wall to be handled appropriately by IT systems.
Our report entitled Get Ready for the GDPR: Talking to Colleagues and Vendors suggests four questions for solution suppliers:
- How do your products/services assist my data protection obligations?
- Where do you store and/or process the data?
- How will your sales and service agreements reflect GDPR requirements?
- What is your roadmap for GDPR support?
The report offers guidance on the answers you’ll want to hear. It also provides details on the requirements for data protection by design.
If you are acquiring new technology and haven’t made GDPR compliance a core requirement, contact us to learn more about what you should be thinking, planning, and asking. We’re also happy to help if you’ve asked your existing vendors and partners about compliance support, but are puzzled by their answers.