Call Accounting Featured Article

GDPR and SARs: Much Ado About Something

October 01, 2018
By Special Guest
David Jones, Director of Product Marketing at Nuxeo,

The General Data Protection Regulation (GDPR) finally went into effect on May 25, and its compliance requirements have already triggered numerous incidents with companies including Facebook and Google (News - Alert). The headlines from these enforcement actions suggest that corporate legal liability lawsuits running into the billions will start to become common practice now that GDPR is live.

The immediacy of this impact made me realize -- this isn’t another Y2K fizzle, where the long-awaited computer bug caused barely a hiccup. The GDPR crackdown is real, and the grace period for non-compliance has passed. As a marketer, if you are not already paying attention to GDPR compliance, it’s time to buckle down and get serious.

The challenge is, many marketers have only now realized an important truth about GDPR: even though it’s an EU regulation, the law applies to any organization collecting, processing, or holding the personal data of EU residents, regardless of the company’s location. This reality is problematic for any marketers that simply read up on the new rules, casually pondered what they might mean for direct marketing practices, and reviewed general customer data security. If you’re in this group, I’m guessing you don’t understand or know much about Subject Access Requests (SARs). If that’s the case, then you need to re-prioritize and start thinking about your strategy for processing SARs.

What is a SAR?
SARs are an under-examined aspect of the GDPR – and a huge potential blind spot. Under the new rules, EU citizens can request that your company produce any and all personal information that it holds on them – along with details on how, and from where, you obtained that personal information. 

SARs are now (with only a few exceptions) free of charge, which lowers the barrier for customer requests. What’s more, when your organization receives a SARs request, you must respond quickly-- within 30 days, to be exact. 

When it comes to complying with SARs, one of the biggest challenges marketers will likely face is that customer information is often spread across numerous different cloud services, business systems, and internal content repositories. Recent research indicates that the modern enterprise is now using an average of 91 marketing cloud services and applications.

SARs will require you to reliably find and aggregate an individual’s data from across every platform, application, system, and repository. You’ll need to search email, social media, databases, and any software used that includes customer data to ensure nothing falls through the net. This could create a bit of a frenzy, given that few (if any) of these systems are truly linked and interoperable. In fact, a recent survey found 79 percent of employees are having issues connecting information from different systems. If a tidal wave of SARs should hit, it might be more than most marketers bargained for.

The Work-Around 
In order to deal with GDPR and SARs, marketers may be well served to add another layer on top of their marketing stack. The question is, which technologies make sense to invest in and why?

Many companies claim to sell GDPR solutions. The reality is, however, that no silver bullet exists to ensure compliance. But when it comes to complying with SARs, investing in a Content Services Platform (CSP (News - Alert)) could serve as a major advantage. CSPs not only help control access to customer data, they also ensure all personally identifiable information (PII) is visible and systematically manageable. You hear all about the various data security services that companies can use to screen for hackers and breaches. But it takes more than just notification tools to comply with SARs. So, if that’s all you’re focused on, then you’re missing the boat.

They haven’t been talked about much yet, but SARs will no doubt usher in a new era of information management in which CSPs will play an increasingly important role. Modern CSPs allow organizations to integrate with multiple legacy applications (and other core business solutions) – serving as a central information hub that provides fast access to all customer information in an app or network of systems, regardless of type or where it is stored.

Some call the panic over GDPR is overblown. But immediately after the law’s introduction, dozens of companies faced scrutiny, with potential lawsuits and large fines on the horizon. Others saw a dramatic spike in requests for how their data is collected and processed. And we’ve all been flooded with emails about privacy updates and opt-in requests. GDPR is no joke, but it’s also no reason to panic – especially knowing there are solutions available that can ease the pain. So as you map out your plans for GDPR – avoid the perils of SARs and make content management a priority in your strategy. 

About the author: Jones is an established thought leader and speaker within the information management space and can regularly be seen and heard at related events, webinars and forums globally. He is Director of Product Marketing at Nuxeo, a leader in modern enterprise content services platform solutions. He is responsible for driving forward all aspects of marketing the Nuxeo content services platform globally.

Edited by Ken Briodagh