Christian van Ramshorst
Christian van Ramshorst | INNOPAY
Christian van Ramshorst

GDPR in value chains: take off your shackles!

The time is near, are you ready?

On the 25th of May 2018, the GDPR (General Data Protection Regulation) will come into effect. A new privacy regulation that aims to improve and streamline all different data protection legislation from the EU member states. Within GDPR, consumers get more rights concerning their personal data, as well as drive organizations to act responsibly when processing their personal data. Although many organizations consider GDPR as a heavy compliance burden, it actually provides opportunities for organizations that operate in value chains if they collaborate smartly. This blog provides insights in how GDPR compliance can become an opportunity through smart collaboration and will lead to improved customer experience and mitigation of unnecessary risks.

Over the years organizations have been “hoarding” personal data; “better safe than sorry right?”. Databases with personal data have grown large and are filled up with (potentially) sensitive data. But things are about to change. With GDPR the EU has developed new legislation, which imposes strict rules on organizations that process personal data. Non-compliance with these rules can lead to substantial fines up to 4% of an organization’s yearly global turnover. One would think that this is clearly enough reason for organizations to carefully reconsider whether they need this personal data at all… Yet the opposite seems to be true, organizations are more concerned with being compliant rather than rethink their need or desire for personal data.

Implications of GDPR as an individual endeavour

Over the years, consumers have (unknowingly) been trading their ‘identity’ for services. With everything becoming a transaction, it is essential to empower consumers to make informed choices when sharing data, just like GDPR was intended for. Putting the consumer in control of his data and become GDPR compliant can be a challenging task though for organizations operating in value chains.

GDPR imposes several activities, which are clearly individual endeavours for organizations, just to name a few:

  • Identify what personal data is needed for your processing purposes;
  • Maintaining a record of processing activities;
  • Appointing a Data Protection Officer (if applicable);
  • Privacy Impact Assessments (if applicable).

The rules as set out in the GDPR are in itself a challenge for individual organizations, let alone the additional implications that arise for organizations operating in value chains. The client-facing party, which is generally the so-called 'Data Controller', is and remains responsible for correct handling of personal data throughout the entire value chain. That is easier said than done, right? How can the Data Controller keep control of the personal data once it is spread across the value chain and processed by its chain partners? By individually approaching GDPR compliance, an organization can only see what data is processed by direct partners in the value chain based on their direct communication channels. In order to see whether data is processed correctly throughout the entire value chain, it is essential to look beyond direct business partners and consider the entire context of the product/service that is being offered, thereby creating a global optimum instead of a local optimum.

Figure 1 shows a simplified version of the customer data journey for a fictive financial product. Immediate questions arise regarding GDPR compliance in this value chain situation.

General customer data flow
Figure 1: General customer data flow

This example of personal data that is processed in the process of offering a financial product illustrates how difficult GDPR compliance can be in value chain situations. Just think about it: most of the rules as defined in GDPR are imposed on individual organizations, as well as the fines for non-compliance. But with personal data moving back and forth through value chains, why keep approaching compliance individually? In an individual approach each organization is re-inventing the wheel, so why not join forces to become GDPR compliant?

An individual approach leads to inefficiencies (in terms of organizational resources such as time and costs) in the value chain, negative impact on customer experience (and especially potential reputational damage to client-facing parties) and unnecessary risks for all parties within the value chain. Examples of risks are:

  • Risk of over-processing personal data: Personal data definition is depending on specific context and can therefore vary across parties within the value chain. A lack of awareness of each other’s context introduces a risk for over-processing personal data and therefore increased risk of non-compliance;
  • Unclarity on liability throughout value chain: With parties all creating different data processing agreements, liabilities may overlap or may not be addressed at all. In case of non-compliance this can lead to issues in establishing who can actually be held liable;
  • Data handling variations: Establishing the exchange of data in bilateral agreements results in endless variations in data exchange. With a lack of general agreements throughout the value chain, these variations introduce a greater risk for processing errors and therefore increased risk of non-compliance;
  • Negative impact on customer experience: Not thoroughly thinking of what personal data is required throughout the value chain beforehand may introduce unnecessary touchpoints in the customer data journey and negatively impact customer experience through the added “hassle”.

Based on these risks a collaborative approach of data processing in chains would seem obvious. But there is a difference between a collaborative approach and truly working together. An approach where organizations with the strongest position in their chain of activity impose very demanding data processing agreements on the minnows, like a general commanding the troops, does not drive collaboration.

GDPR: Take off the shackles and join forces!

INNOPAY’s sees that, based on its experience in various multi-party data sharing situations, organizations that collaborate on compliance or service development are more successful and create value for all parties involved. More specifically regarding GDPR compliance in value chain situations, INNOPAY identifies 4 key areas in the customer data flow (figure 2) that can benefit from a collaborative approach.

Data Sharing
Let's get in touch

Ready to do business with the experts at INNOPAY?