We are beginning to get a clearer picture of what the Regulators will expect from a compliance point of view but modelling how that will impact current commercial arrangements is also vital for long term forecasting.
Conducting a GDPR Impact Assessment helps to discover the organisation’s readiness – identifying and prioritising specific data issues and the risks involved for the organisation, so that they may be tackled in a logical and effective manner. This involves working with people within the organisation, with partner organisations and with the departments affected to identify compliance risks and revenue impacts. By defining risks for the organisation from the Regulation an action plan can be developed with priorities to future-proof processing and protect revenue.
Current commercial models may be challenged by GDPR requirements, opening the business to increased costs and potential liability in the future. These could include:
• Consent is difficult to obtain and a significant proportion of previously collected data may be unusable
• The “balance of interests” may be an alternative to justify processing but is subject to interpretation by the ICO and other European Regulators
• Prospect data may increase in price and significantly reduce in availability
• There could be additional costs to the business in ensuring data governance, fulfilling customer rights, record keeping and system development to evidence compliance
• The use of profiling will be restricted
The GDPR will change the game for all Controllers when it comes to customer acquisition and marketing efficiency. Mitigating actions to protect metrics like Cost per Acquisition and Return on Investment need to be planned now.
Opt-4 has been conducting GDPR Impact Assessments since 2012. If you would like to hear more about how we can help prepare your organisation for the GDPR contact us at E: firstname.lastname@example.org T: 0208 434 3596
Copyright Opt-4 / Data Protection Network
The information provided and the opinions expressed in this article represent the views of Opt-4 Ltd and/or the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance to the Data Protection Act 1998 or other statutory measures.