Uncategorised

One Pager 5: Where the GDPR trouble is brewing

People say the GDPR is an enforcement failure. But, are they looking at the GDPR all wrong?

How businesses should take the lead and focus on customers

There are inescapable facts about two business issues –

  1. That Digital Transformations Programmes exclude Privacy. If privacy is in their scope at all, it has been reduced to a milestone in the delivery plan – “legal signoff”.
  2. That Privacy Management Programmes exclude Transformation. Their frameworks lack the ambition to drive the magnitude of change required by law or deserved by consumers.

If these two critical activities had nothing in common it might explain their disconnection, but smack in the middle of their Venn diagram is personal data.

The dots have not been joined even though since 2015 both these programmes have had growing board level visibility and eye-watering levels of investment.

Back in 2018 (GDPR year zero) a survey of Fortune 500 and FTSE 350 companies, by the International Association of Privacy Professionals, put GDPR spend at $11.2 billion. Industry analysis IDC put spending on Digital Transformation in 2018 at $1.6 trillion. While spend on GDPR compliance is now much reduced, Digital Transformation spend will still be $1.6 trillion in 2020.

In the journalism and analysts reports about Digital Transformation many brands get a name check, but six are repeatedly mentioned as success stories. The “poster children” are Nike, IKEA, McDonald’s, LEGO, and Disney – they are in every top ten.

Each has genuinely transformed the relationship they have with customers by putting digital at the centre of an omni channel experience, and developing innovative data driven services and products. The reports make it clear; the proof of success is in their numbers – the growth is impressive.

Key Takeaways

  1. Chief Digital Officers and Chief Privacy Officers have been poorly served. Advisors have failed to recognise the synergies of their programmes or align their goals.
  2. Privacy needs to be re imagined in the context of Digital Transformation with the creation of a privacy vision which both recognizes the what is held in common and the very different perspectives
  3. It is not too late. Digital Transformation Programmes need to deliver against privacy requirements for:
  • Baseline data protection obligations and duties of Data Controllers and the rights and freedoms of Data Subjects
  • Consistency between the privacy experience and the core customer experience
  • Specific privacy rights services and journeys

PEA was founded to solve this problem – to crossover between the world of Digital Transformation and Privacy Management, and guide both Digital and Privacy leaderships.

It can't be business as usual for any type of company or public sector body after May
2018.

Helen DixonData Protection Commissioner for Ireland. The Independent, 02/04/2017.

Yet their privacy experience remains in the dark ages. Digital Transformation has passed privacy by:

  • Confusing consent banners without a data or privacy proposition which articulates the value exchange to customers let alone a manageable choice set.
  • Privacy notices written in the same sequence as clauses in the GDPR and not designed to help users understand the content or navigate the page
  • The privacy rights of customers activated at best by an online form, and at worse the presentation of a general customer service email address.

There will be very few Digital Transformation Programmes which settle on spawning an email as the preferred way to deliver a service or “fix it first time”. But, then again, there they are.

When designing new privacy experiences the first roadblock is the IT estate. Long before the GDPR people had a Right to Access – to obtain a complete copy of their data. Yet, with all the investment in Digital Transformation a Data Subject Access Request is still mainly a matter of manual processes and tech kludges – as if requirements were never captured! Maybe what is required is too much of a stress test for the transformed systems – if they fail on Access, they stand no chance on Restriction.

Privacy Management Programmes compound the problem by lacking ambition, a desire to innovate or an outward looking frame of reference. The cliché of the difference between management and leadership has never been truer. Just as Digital Transformation has failed to listen up, so Privacy Management fails to speak out beyond the legally necessary documentation which is extracted like teeth from the business.

Why has this happened? Both lack a rounded view of the customer as data supplier and beneficiary – because one has a partial vision, and the other has no vision at all.

Privacy Experience Agency

Author Privacy Experience Agency

More posts by Privacy Experience Agency

Leave a Reply