When the General Data Protection Regulation (GDPR) went into effect on May 25, most companies already had a solid understanding of what the new law meant for EU citizens’ privacy rights, and how it would increase their obligations when it comes to the handling of customers’ personal data. What some may not have fully grasped, however, is how the GDPR also requires organizations to deliver this protected information to any EU citizen who submits a Subject Access Request (SAR).
SARs are oft-overlooked aspect of the GDPR. Under the new rules, a targeted company is required to produce any and all personal information that it holds on an EU citizen if a request is made. Marketers should be well-aware of this requirement, and understand that they and their organizations must do more than just ensure they have robust data protection and storage measures in place for EU customer data – they must also consider how they will manage SARs as part of their overall GDPR strategy.
Under the GDPR, when an organization receives a SAR request, it must respond quickly. Within one month, to be exact — a significantly shorter time frame than the 40 days allowed under the Data Protection Act, which the GDPR replaced. Moreover, the GDPR prevents organizations from charging administration fees for SAR processing, unless the request is “manifestly unfounded or excessive”. The elimination of fees makes it much easier for citizens to submit SARs – and could lead to a spike in the number of requests that organizations have to field.
The challenges don’t end there. The GDPR also gives EU citizens the right to receive highly detailed information, and to have inaccurate data corrected or erased. In addition, the rules say organizations must be able to identify how and from where they have sourced an EU citizen’s personal information.
Imagine the potential strain on marketing and other organizational budgets from processing a deluge of SARs – without charging for them, and under a tight time constraint. What’s worse, failure to process accordingly could result in an even bigger resource drain: hefty GDPR fines.
But there’s more at stake for organizations than just the price of non-compliance. Brands risk widespread negative publicity if they are unequipped to process SARs. Needless to say, if an organization’s GDPR focus has not fully incorporated SARs processing, they will want to act quickly to get the right tools and processes in place – before SARs requests become a serious headache. Organizations with multiple cloud-applications and business systems – such as CRM and ERP solutions — are particularly vulnerable to GDPR fines and sanctions, because these complex environments make it difficult to connect customer data that’s spread across various apps and repositories.
Luckily, finding a solution to address these issues doesn’t have to be a torturous task. Using a modern Content Services Platform (CSP), for example, can bring customer data that’s stored in numerous information sources together quickly and easily, help to establish clear visibility and ensure there are efficient workflows and reporting in place to meet SARs requirements within the one-month timeframe.
Unlike the dated Enterprise Content Management (ECM) model, CSPs are agile, and built for process automation and content distribution. CSPs offer flexibility and adaptability, and they integrate data from various sources and formats. Perhaps most importantly, because CSPs are ‘repository neutral,’ they can quickly find and access information, no matter where it resides.
Marketers will come to find the benefits of having that ability to quickly find and track customer data from across an organization extend well beyond GDPR compliance. A strong GDPR data security posture means knowing where customer data is, what it is being used for, and who is accessing it. But it also means having a 360-degree view of customer data. And it’s been well-established that a holistic view of customers enables a better, more personalized customer experience. Let’s face it: In today’s business world, it’s all about the customer experience.
It’s now been more than a month since GDPR took effect. Organizations are working hard to make sure they can identify all of the personal data stored within their systems and repositories, and to ensure this information is safe and secure. But SARs is another critical, potentially painful, aspect of the law that organizations often fail to consider. If not managed properly, SARs, could cost organizations a lot in terms of fines and reputation. But using a CSP can help ensure the ability to link numerous information sources together to meet these demanding requests – ensuring that nothing slips through the GDPR net.
What’s more, CSPs help unify customer information to provide a better customer experience. They are not only a solution for SARs, they can contribute to the growth of your company — and ultimately serve as a key building block for future marketing and business success.