Consider this scenario: Legislation is passed requiring an organisation to delete a consumers details within 5 days of a request. Failure to do so results in serious penalties. A business experiences a significant data breach, consumers lose confidence, and a wave of delete requests are received. How is the organisation going to manage this if they are using manual/human driven processes?
Over the last few years, individuals across the world have slowly started to appreciate that their data has real value. People are realising that the personal information they have been eagerly posting onto social media platforms is worth money - their likes, comments and people they follow can be sold, used to sell them something and used to manipulate them. It can be compromised, and if this happens, can create a big headache. Imagine giving your wallet to someone to look after, and they lose it. Great. Off we go to cancel credit cards, change PIN numbers, etc, etc.
Just like a bumper crop of wheat in the farming world, we’ve seen the adoption of the term ‘harvesting’ being used to describe the collection of large swathes of data by organisations. This is filtered and refined to create a data product of even greater value.
As the world wakes up to this new ‘farming’ technique, we are now seeing the enactment of legislation and regulation that supports the individual’s quest to regain control of their personal data.
The European Union’s General Data Protection Regulation (GDPR), which came into effect on 25 May 2018, is a significant step towards this. Following the introduction of GDPR, California recently enacted the California Consumer Privacy Act (CCPA), requiring that consumers (citizens of California) will have the right to demand a copy of their personal information from businesses and request they delete it.
I have already experienced the inability for large enterprises to handle such requests. A while ago, I had a significant disagreement with a multinational car hire company. I was so disappointed with their service that I asked them to close my ‘Preferred Client’ account and remove my data from their system. Almost 18 months later, I can still log into my ‘Preferred Client’ account. As there is no legislation to support my request (yet), it has fallen on deaf ears.
At BDO, we can foresee the emergence of a whole new business capability solely tasked with complying with these requests to provide copies of personal information and/or confirm deletion. How long will it be before we see the rise of the ‘Customer Data Response Team’?
The necessity for these new types of customer data focused teams will be created by the failure of most businesses to invest in mapping their data assets. They have customer data sitting in numerous, disparate systems. Structured consumer data sitting in databases may be easier to find, but what about unstructured data such as scanned letters and forms?
Furthermore, what will be the cost to run these teams? In a complex enterprise with inadequate data mapping, it could plausibly take one full-time staff a few days to confirm that all of an individual’s data has been located and deleted.
Who will bear this cost? The implications are enormous.
If you are interested in getting ahead of this issue and better understanding how you can structure your business data, please contact BDO for a chat.