GDPR in value chains: take off your shackles!

  • Eefje van der Harst Christian van Ramshorst
  • GDPRData SharingOpennessCustomer in Control

The time is near, are you ready?

On the 25th of May 2018, the GDPR (General Data Protection Regulation) will come into effect. A new privacy regulation that aims to improve and streamline all different data protection legislation from the EU member states. Within GDPR, consumers get more rights concerning their personal data, as well as drive organisations to act responsibly when processing their personal data. Although many organisations consider GDPR as a heavy compliance burden, it actually provides opportunities for organisations that operate in value chains if they collaborate smartly. This blog provides insights in how GDPR compliance can become an opportunity through smart collaboration and will lead to improved customer experience and mitigation of unnecessary risks.

Over the years organisations have been “hoarding” personal data; “better safe than sorry right?”. Databases with personal data have grown large and are filled up with (potentially) sensitive data. But things are about to change. With GDPR the EU has developed new legislation, which imposes strict rules on organisations that process personal data. Non-compliance with these rules can lead to substantial fines up to 4% of an organisation’s yearly global turnover. One would think that this is clearly enough reason for organisations to carefully reconsider whether they need this personal data at all… Yet the opposite seems to be true, organisations are more concerned with being compliant rather than rethink their need or desire for personal data.

Implications of GDPR as an individual endeavour

Over the years, consumers have (unknowingly) been trading their ‘identity’ for services. With everything becoming a transaction, it is essential to empower consumers to make informed choices when sharing data, just like GDPR was intended for. Putting the consumer in control of his data and become GDPR compliant can be a challenging task though for organisations operating in value chains.

GDPR imposes several activities, which are clearly individual endeavours for organisations, just to name a few:

  • Identify what personal data is needed for your processing purposes;
  • Maintaining a record of processing activities;
  • Appointing a Data Protection Officer (if applicable);
  • Privacy Impact Assessments (if applicable).

The rules as set out in the GDPR are in itself a challenge for individual organisations, let alone the additional implications that arise for organisations operating in value chains. The client-facing party, which is generally the so-called 'Data Controller', is and remains responsible for correct handling of personal data throughout the entire value chain. That is easier said than done, right? How can the Data Controller keep control of the personal data once it is spread across the value chain and processed by its chain partners? By individually approaching GDPR compliance, an organisation can only see what data is processed by direct partners in the value chain based on their direct communication channels. In order to see whether data is processed correctly throughout the entire value chain, it is essential to look beyond direct business partners and consider the entire context of the product/service that is being offered, thereby creating a global optimum instead of a local optimum.

Figure 1 shows a simplified version of the customer data journey for a fictive financial product. Immediate questions arise regarding GDPR compliance in this value chain situation.

gdprchain1Figure 1: Fields of attention regarding the customer data flow

This example of personal data that is processed in the process of offering a financial product illustrates how difficult GDPR compliance can be in value chain situations. Just think about it: most of the rules as defined in GDPR are imposed on individual organisations, as well as the fines for non-compliance. But with personal data moving back and forth through value chains, why keep approaching compliance individually? In an individual approach each organisation is re-inventing the wheel, so why not join forces to become GDPR compliant?

An individual approach leads to inefficiencies (in terms of organisational resources such as time and costs) in the value chain, negative impact on customer experience (and especially potential reputational damage to client-facing parties) and unnecessary risks for all parties within the value chain. Examples of risks are:

  • Risk of over-processing personal data: Personal data definition is depending on specific context and can therefore vary across parties within the value chain. A lack of awareness of each other’s context introduces a risk for over-processing personal data and therefore increased risk of non-compliance;
  • Unclarity on liability throughout value chain: With parties all creating different data processing agreements, liabilities may overlap or may not be addressed at all. In case of non-compliance this can lead to issues in establishing who can actually be held liable;
  • Data handling variations: Establishing the exchange of data in bilateral agreements results in endless variations in data exchange. With a lack of general agreements throughout the value chain, these variations introduce a greater risk for processing errors and therefore increased risk of non-compliance;
  • Negative impact on customer experience: Not thoroughly thinking of what personal data is required throughout the value chain beforehand may introduce unnecessary touchpoints in the customer data journey and negatively impact customer experience through the added “hassle”.

Based on these risks a collaborative approach of data processing in chains would seem obvious. But there is a difference between a collaborative approach and truly working together. An approach where organisations with the strongest position in their chain of activity impose very demanding data processing agreements on the minnows, like a general commanding the troops, does not drive collaboration. 

GDPR: Take off the shackles and join forces!

INNOPAY’s sees that, based on its experience in various multi-party data sharing situations, organisations that collaborate on compliance or service development are more successful and create value for all parties involved. More specifically regarding GDPR compliance in value chain situations, INNOPAY identifies four key areas in the customer data flow (figure 2) that can benefit from a collaborative approach.

gdprchain2Figure 2: key collaborative domains impacting the customer data flow

  1. Personal data: defining whether data is personal data depends on the context. By assessing the value chain collaboratively, the context can be considered as a whole, making sure that all personal data is correctly identified. This minimises risk of over-processing personal data;
  2. Processing agreement: By defining all expectations and processing purposes in a collaborative setting, all parties can get a clear understanding of what is expected of them. Accountability is clarified beforehand and reduces uncertainties in case of non-compliance;
  3. Consumer interface: GDPR only allows processing of personal data for which the organisation has a clear processing purpose. In value chains, often specific processing activities requiring specific personal data are outsourced. This implies that storage of personal data is scattered across the value chain, but the consumer has the right to access all his personal data in the value chain. By collaborating, organisations can provide access to the personal data without the need for centralised storage of data, improving data minimisation;
  4. Uniform data sharing: defining data sharing standards together will ensure that all parties involved are able to handle such standards (for example API specifications, SLA’s and data sharing agreements), ensuring that personal data (and executed rights of the customer) are handled correctly throughout the chain.

These four key areas are examples of the opportunities that arise when approaching GDPR compliance collaboratively. By collaborating, risks can be minimised, and additional value can be created for customers and parties within the value chain of operation. Through collaboration, organisations operating in value chains are able to provide the customer with the level of control that GDPR was intended for, as well as ensure responsible processing of personal data.

At INNOPAY we have the knowledge, the people and the experience to deliver innovative and trusted strategies, solutions and services that help organisations or groups of organisations to fully embrace the opportunities of the digital transactions ecosystem. Get in touch to see where INNOPAY can help you (and your value chain partners) remove your GDPR-shackles.

〈  Back to overview