GDPR: Three Steps to Protect Your Business

2

In 2018, the European Union’s General Data Protection Regulation (GDPR) will take effect. Is your organization prepared, or is it at risk of multi-million dollar fines? Here are 3 key areas to consider for meeting GDPR compliance.

If someone walked into your office today and told you that, in one year, your business would unknowingly expose itself to millions of dollars in regulatory fines, how would you respond? In all likelihood, you’d want to know exactly what warrants that kind of fine. And then you would do everything possible to understand how to protect your organization against it.

The “risk” in question here is the European Union’s General Data Protection Regulation (GDPR) — a new rule that will dramatically alter data privacy and protection standards across Europe. Importantly, the bill carries fines of up to 4% of annual global revenue or 20 million Euros (whichever is higher), and it applies to any business with EU customers1. This makes it relevant to any enterprise with operations or customers in any nation of the European Union.

That alone is cause for alarm, but here’s the truly troubling news: For the majority of global organizations, this regulatory snake pit is a complete blindspot.

Let those numbers sink in and ask yourself: How prepared is your organization for the GDPR? And if it isn’t, what are the implications of failing to prepare before the GDPR takes effect on May 25, 2018?

GDPR: Three Steps to Protect Your Business

1 EY, “EU General Data Protection Regulation: Are You Ready”2 Quest & Dell, “Global Survey: GDPR has ramification for any company that does business with citizens of the EU”

80More than 80% of global respondents know few details or nothing about the GDPR

1/3Less than one-third of companies feel prepared for the GDPR 97

97% of organizations lack any sort of plan to be ready for the GDPR

IN OCTOBER 2016, A SURVEY COMMISSIONED BY DELL FOUND THAT:2

3

Here’s the good news: While the GDPR is complex and wide-ranging, there are some simple steps your business can take to tackle compliance challenges. Here are three ways you can help your organization better understand the implications of the GDPR and actions that can help make sure your current customer data management policies don’t result in hefty fines for your business.

Identify Where Your Customer Base is LocatedOne of the main reasons the EU’s GDPR policy gets overlooked is because businesses assume it’s directed only at European-based organizations.

While the regulation was designed and structured to protect the data and privacy of citizens in the EU’s 28 member countries, the legislation applies to any business — in any country — that stores, captures, processes, uses, or manages an EU citizen’s data. For example, if you’re an American-based business with even a single customer in a European Union country, ensuring the privacy of that customer’s data will no longer be optional, and the GDPR’s enforcement mechanisms can be applied to your business if you don’t.

Some of the compliance categories the GDPR will impact include:

• Data portability (an individual’s rights to gain access to and transfer his or her own personal data history)

• Age of consent

• Email opt-in and anti-spam

• Right to be forgotten (an individual’s right to request complete erasure of his or her personal data)

Importantly, one of the primary goals of the GDPR is to enact uniform legislation that will create consistent regulations and policies that can be easily applied across borders. This means that if you have just one customer in the EU, you need to geographically assess how customer data is being used and where it’s being stored across all of your brands and subsidiaries.

1

4

This will allow you to ensure that your practices for capturing, using, managing, and storing customer data are in full compliance — not just with the GDPR, but with any other geographical or national rules.

Understand Where Customer Data is Located and How It’s Connected Across your BusinessLarge enterprises today often own multiple brands, which in turn manage multiple web or mobile properties. Another idiosyncrasy of the GDPR is that it doesn’t apply to only your organization’s interactions with customer data: It also applies to all brands and subsidiaries owned by your company and any third-party vendors processing customer data that those brands work with.

Here’s a simple example:

US-based Acme Enterprises owns Brand A, an online retailer in Germany that collects

and manages customer identities, and uses

both a GDPR-compliant customer relationship management (CRM) platform and email

service provider (ESP) to drive campaigns.

Acme also owns Brand B, a US-based consumer packaged goods brand

whose products are marketed and sold

by Brand A. Brand B uses a cloud-based data management

platform (DMP) that uses brokered third-party

customer data to drive programmatic

advertising, a practice outside of GDPR

compliance.

When a British customer of Brand A cross-converts and

voluntarily registers with Brand B — ostensibly

a good thing for Acme — the targeted messaging he then

receives constitutes a compliance breach and,

if prosecuted, Acme is on the hook for any

resulting fines.

2

ACME

Brand B

Brand A

REGISTERED

VOLUNTARILY REGISTERS

OWNS

OWNS

ME

5

The bottom line is that if customer information lives in disconnected silos, is handled by disparate teams, and has different owned or third-party technologies processing it for various reasons, then managing compliance can quickly become a nightmare. Notably, one 2016 report found that 63% of all data breaches were linked directly or indirectly to third-party access.3

So, it’s critical that you understand how you’re using customer data across your company today. This includes staying current with other parties’ terms-of-service as they relate to your customer data. And it means asking yourself some fairly basic questions:

• Are you in control of all endpoints for your customers’ personal data?

• Are you collecting, storing, and using data for its intended purpose?

• Are customer profiles in your databases kept in sync with customers’ third-party social accounts?

If you can answer yes to these questions, you will reduce your GDPR compliance risk. One way to get there is by leveraging tools like social login, which reduces friction, gives your customers total control over the information they share and gives your business access to accurate, consent-based first-party data. Similarly, single sign-on (SSO) functionality helps with compliance and improves customer experience by reducing inherently risky authentication processes, logging customers in (and out) of all connected sites with a single, secure transaction.

3 Soha, “Third-Party Access is a Major Source of Data Breaches, Yet Not an IT Priority”

6

Centralize Customer Identity on a Single PlatformAs the popularity and utility of cloud-based services has increased in enterprise organizations, so, too, has the inherent risk to customer data. After all, those services are typically hosted across various time zones and country codes, meaning one company’s data may cross borders into regions with varying requirements for how that data must be handled.

If you’re trusting this network of distributed solutions to safeguard that data, you’re likely exposing your business to significant risk.

With the GDPR designed to place stricter controls on the exchange and storage of this data, the safer strategy is to create a centralized customer data repository. This enables customers — and your business — to easily access, adjust, and manage data preferences and consent in one place, instead of across multiple solutions.

As you think through this issue, here are some questions you’ll want to consider:

• Are you presenting a clear value proposition to customers when asking them for personal information — transparently communicating what data you’re asking for, what you will do (and not do) with it, and what they can expect to receive in return?

• Can customers easily change preferences, such as allowing or rescinding consent for social apps or changing opt-in and frequency settings for emails?

• Can customers edit, download, delete, and freeze processing and storage of their data at any time and for any reason?

• Can you prove to enforcement agencies, in a timely fashion, that you have obtained proper consent from consumers to collect and manage their data?

If you can’t answer those questions, or your current policies around them aren’t clear, you’ll want to make changes before the GDPR takes effect.

3

7

What’s the Cost of Being Underprepared for the GDPR?The risks of mismanaging customer data are tangible and significant. Outside of the financial ramifications of regulation like the GDPR, just one infraction can cause irreparable damage to brand reputation and trust — both of which can impact consumer spending. One example of this is Target, whose sales fell by 46% year-over-year after its 2013 data breach.4 Another is Yahoo, who also experienced breaches in 2013 and 2014 that caused Verizon to drastically reduce its acquisition offer.5

Simply put, the costs associated with data mismanagement are far greater than the costs associated with putting the right strategy in place to protect against them.

Remember: With 97% of businesses recently saying they lack any sort of plan to be ready for the GDPR6, chances are your organization is at risk. While the steps laid out in this paper aren’t a comprehensive roadmap to GDPR compliance, they are a good starting point. And with the GDPR coming in 2018, there’s no time to waste.

We Can Help!Gigya’s Customer Identity Management platform helps 700 global brands identify and engage with 1.2 billion customers across the globe, with a secure and privacy-compliant solution purpose-built for managing customer data. Our industry-leading technology and implementation expertise make Gigya a great place to start for businesses wanting to develop more valuable and trusted relationships with their customers.

Check out our website to learn more about how a centralized customer identity management strategy can help you meet the requirements of the GDPR and other data protection and privacy laws. If you are planning a customer identity initiative and want to find out what Gigya can do for you, contact us today.

4 Forbes, “Target Profit Falls 46% On Credit Card Breach”5 CBSN, “Verizon slashes offer price for Yahoo over data breaches”6 Quest & Dell, “Global Survey: GDPR has ramification for any company that does business with citizens of the EU”

© 2017 Gigya, Inc. | 2513 Charleston Road #200, Mountain View, CA 94043 | T : (650) 353.7230 | www.gigya.com

Gigya, the Gigya logo, and Customer Identity Management Platform are either registered trademarks or trademarks of Gigya Incorporated in the United States and/or other countries. All other trademarks are the property of their respective owners. Gigya does not own any end user data or maintain any other rights to this data, other than utilizing it to make Gigya’s services available to our clients and their end users. Gigya acts as an agent or back-end vendor of its client’s website or mobile application, to which the end user of our client granted permissions (if applicable). Gigya facilitates the collection, transfer and storage of end user data solely on behalf of its clients and at its clients’ direction. For more information, please see Gigya’s Privacy Policy, available at http://www.gigya.com/privacy-policy/.

Gigya_White_Paper_GDPR_3_steps_to_protect_your_business_201703

The Leader in Customer Identity Management

About Gigya

Gigya’s Customer Identity Management Platform helps companies build better customer relationships by turning unknown site visitors into known, loyal and engaged customers. With Gigya’s technology, businesses increase registrations and identify customers across devices, consolidate data into rich customer profiles, and provide better service, products and experiences by integrating data into marketing and service applications.

Gigya’s platform was designed from the ground up for social identities, mobile devices, consumer privacy and modern marketing. Gigya provides developers with the APIs they need to easily build and maintain secure and scalable registration, authentication, profile management, data analytics and third-party integrations.

More than 700 of the world’s leading businesses such as Fox, Forbes, and ASOS rely on Gigya to build identity-driven relationships and to provide scalable, secure Customer Identity Management.

To learn how Gigya can help your business manage customer identities, visit gigya.com, or call us at 650.353.7230.