Written by Mark Chillingworth
There will be no dormant period for CIOs and CTOs during the winter of 2017 to 2018. Organisations and their information leaders will be sprinting towards the spring of next year, because the new General Data Protection Regulations (GDPR) come into affect on May 25, 2018. With just seven months to go, are organisations ready for the major European regulation? We brought together a business technology leader from one of the UK’s foremost media organisations and information, identity and technology specialists Amido to discuss the final sprint towards compliance for a Horizon Business Innovation CIO podcast.
Sabah Kahn Carter is Director of Technology Business Operations at News UK, the media giant behind brands such as The Sun and the Times. The business has expanded into a number of different media areas in recent years including the purchase of radio business Wireless Group in 2016 to add Virgin Radio and talkSPORT to its portfolio.
“If you think about our organisation we have staff and employee data, if you look externally we have audience data where we are trying to build a relationship from a sales and marketing perspective and our audiences that read our titles and we have our suppliers, so data impacts every part of our organisation,” Carter says of the levels of data to be impacted by GDPR at a major organisation.
“I think the deadline has really given everyone some focus and the drive has been to remove silos. What we are seeing now is that as we need to reach a deadline there is more collaboration,” she adds.
Steve Jones, senior consultant at Amido adds: “GDPR places the onus on the organisation to manage data in a more fine grained way than ever before. So if you really don’t know where all your data is then audit it is an incredibly difficult task. Historic silos are being rationalised. The 4% of global revenues fine is focusing the mind.”
“It is a really big opportunity for most organisations, there has been all this data that we have been accumulating for a length of time, although there is a great volume of data, the quality of it is questionable, so there is an opportunity here to say, ‘the data we are going to hold is relevant to us and is going to mean something to the strategy’,” Carter says.
“It is the opportunity to move to the mythical single view of the customer where all the information about a customer is in a single place,” Jones says. Like Carter, Jones believes GDPR should be about more than being compliant, he says GDPR should be seen as a way to concentrate on the customer and personalise the services offered.
“We are a really diverse company, when you think about how we operate and the data we hold. So being successful in one area is not going to make us successful and compliant in another,” Carter says. At News UK there has been a mandate to ensure all levels of the media giant are accountable, which “is at the heart of GDPR and we can’t just get away with saying we put the process in place”.
GDPR is not a tech challenge
“It is not just on consent going forward, it is also consent on historic data as well,”
“It can be seen as a technology challenge, but it is much broader, it requires a change in culture and behaviour,” Jones says. “Aside from the systems that accumulate the customer data, there is a raft of unstructured data like emails and documents that get uploaded so they can be passed around and messaging systems like Skype and Slack which can store personal identifiable information (PII) data,” he says of why organisations need to ensure a strong culture and not see the use of the latest tools as in any way different.
“The biggest challenge is the cultural one, the devil is in the detail of consent, beyond that there is an obligation to offer an opt-out of consent and information on what the data is bing used for and that is a big step change for organisations from a check box to receive a newsletter,” Jones adds of how the cultural change is also about daily customer facing interactions through digital channels. “These are new processes for organisations that have never had to display that knowledge before.”
“I would add there are industries like Adtech and marketing that have evolved with a certain approach that is not about getting consent,” Carter says. “This is going to transform these industries and the way we operate with our partners and that is a really big shift in our way of thinking.”
Requiring consent to use customer information is without doubt the largest change for organisations and in particular those such as the media that depend on targeting consumers to satisfy the needs of advertising clients. More than one CIO has told this title that they applaud the control being given back to consumers by GDPR, but don’t relish the change in operations within their own organisations.
“It is not just on consent going forward, it is also consent on historic data as well,” Carter says of the challenge. The News UK business technology leader said the London Bridge headquartered media company has been involved in deep levels of data mapping to understand the data it has.
Jones believes consent all aspects of GDPR will require a total change in processes and significant training in many organisations.
“It is reasonable to suggest is that the real target of GDPR is the rise of the data economy, in 1998 (when the previous incarnation of data protection regulations was released) we didn’t envisage a future where you would outsource your data processing to an outside provider, so there is an awful lot more onus on the data processors and their contract to ensure they are handling data in a correct manor,” Jones says of understanding your suppliers and ensuring they are compliant too. Organisations such as Marks & Spencer have had their brand name dragged through the tabloid media when an email marketing services provider was hacked some years back; beyond May 2018 the cost of such attacks will be far higher.
GDPR also requires organisations to appoint a Data Protection Officer, which Jones says is usually a role closer to the legal heads of the business rather than the technologists, though as he points out, it is very important that they have a good relationship with the CIO or CTO. News UK has a Data Protection Officer in place for some time: “being in the industry that we are it is something that we take seriously and he is very busy,” Carter says.
Despite the regulatory threats and a fast approaching deadline both technologists take a positive tone on GDPR: “It really is an opportunity to improve revenue and that has been the focus for us,” Carter says.
Click Here to use the Amido GDPR assessment tool.