We live in a digital world where every action leaves a mark. Users are receiving an increasing amount of targeted ads and promotional offers. Brands are working hard to adapt their services and customize their communication according to the different customer profiles. To do this, companies use solutions to collect and process personal data.
Data: the strategic core
Today, customers are increasingly unpredictable and do not hesitate to change brands. To stand out and maintain their position, companies need to ensure that customers are at the heart of their strategy while continuously adapting to customer needs. Processing user data is therefore essential since the data itself is a company asset.
What is the impact of the new GDPR (General Data Protection Regulation) guidelines?
Several principles emerge from this Regulation, including those of finality, transparency, and respect of personal rights. In other words, an organization must present a legitimate objective for collecting personal data (finality) and must notify users about the collection and sharing of information with third parties (transparency). This also means the user has the right to accept or reject data collection. They can also ask for their data to be corrected and permanently deleted, which was not the case in the past.
New opportunities with the GDPR
The GDPR is a framework for collecting and ensuring privacy and data security. Although companies view these rules as restrictive, they can still become a development opportunity and a standout factor. Indeed, there are many ways to capture customer data, such as forms, competitions, newsletters, loyalty cards, and much more. The ultimate objective for a company is therefore to collect qualified data and to ensure user confidence.
Lawful means of data collection
The central concept of GDPR is consent. The old adage that "silence means consent" does not apply in the case of the GDPR within the European Union. With the exceptions specified in Article 6 "Lawfulness of processing", the GDPR requires that consent must be explicit, without data preselection (no pre-checked boxes for instance). Data collection and management practices are often unsuitable and need to evolve. To prove that users have given their consent, a consent certificate generation process needs to be implemented.
Once consent has been validated and the data collected, it is still important to ensure the quality and up-to-dateness of the database on a regular basis. Similarly, companies must be able to easily retrieve the consent’s written records for each user and its context (data, channel used, etc.).
In order to combine all these elements, companies can rely on trusted third parties. These third parties must "certify" the consent and make sure that the transmitted data is secured by using a cryptographic solution. For example, encryption encodes sensitive data using keys that are regularly modified, remotely stored, and accessible thanks to a secured connection. In short, companies must manage data collection like a contract signed by the user.
From the users’ perspective, they must have the option to manage their data within a wallet. In other words, have their data centralized within a mobile app for example. Customers can quickly access their consent history, their used private data, and related processing, having total control of their data.
Once the data is captured and aggregated, the focus turns to data transfer, use, and storage. The GDPR work frame strongly suggests the use of pseudonymisation and anonymization techniques.
The first solution called "Anonymization" involves the elimination of all personal identifiers that could lead to the true identity of a natural person. This includes direct information such as names and addresses, or indirect ones such as purchases made, friends, or job title. Companies wishing to avoid data breaches or GDPR penalties can outsource personal data to third parties. This secured and centralized data can therefore be analyzed and used for profiling: average age of customers, average basket, etc.
The second solution, "Pseudonymization" is a softer version of anonymization since the identity of the person can be retrieved. The "natural person data" link is replaced with surrogated data. This makes it possible to outsource data processing, to secure the data while maintaining the ability to retrieve the link with a natural person post-processing. This solution does not release companies from the scope of the GDPR in all cases, but it can alleviate some requirements such as consent, the right to deletion, design protection and security.
In order to implement these new processes, companies are strongly advised to contact expert third party Digital Services companies trusted by the competent authorities and approved by the CNIL (French Data Protection Authority).