Tough data protection laws and their regulatory frameworks are fast coming online and businesses must gear up for new rules and regulations.
The trend started across the Atlantic with the European Union’s vigorous privacy lawOpens a new window which went into effect in 2018 and covers every business operating on the continent.
Next, California adopted a data privacy lawOpens a new window that’s not as strict as the European version but requires firms based in the Golden State to protect some personal information of consumers.
And now every news story that publicizes a data breach adds to the push to safeguard the data from outlaws in basement computer rooms and overseas spy mills.
The cost of compliance is treated differently from business to business, but the costs of noncompliance can be stiff. Many firms are investing in expansions of their customer relationship management systems in an effort to stay abreast of the law.
A specific cost for firms operating in Europe was created by the request-to-be-forgotten provision in the European law, formally known as the General Data Protection Regulation, or GDPR.
While many American firms are not subject to the European law, a few are and are adapting to itOpens a new window . Any future legislation is likely to take some of its inspiration from the European law.
Telling systems: ‘forget’ data
CRM platforms of multinationals doing business in Europe will be asked to process requests by individuals or businesses anxious to be struck from their databases, placing stress on systems that weren’t designed to meet those requirements.
Established CRM systems have been built around specific requirements such as processing orders or tracking shipments. These are the traditional, functional building blocks that have supported CRM development.
Data removal requests go against the grain for many software platforms that were designed to travel in the other direction, to add data.
At present, US companies are sailing toward a CRM iceberg in the form of data privacy: California may be leading the way, but other states are likely to follow suitOpens a new window .
At some point, federal data protection legislation is expected to enter the pipeline but its forms and powers are not yet clear.
Firms asked to remove customer data will first have to ascertain where that data is stored. Many lodge the data not just in their core CRM system but also across numerous ancillary platforms.
Each removal request could become a costly affair, but companies will have to perform to these requests or face fines or legal fees in court fights to avoid them.
One option so far has been to require customers to opt in or opt out of various automated communications. The requests are becoming more complex and cumbersome for customers to complete.
They also run the risk of hamstringing marketing campaigns, because end customers will heavily restrict the communications from marketers.
Start preparing
American companies need to start thinking about this problem now. It will require input from all departments that process customer data and a review of existing CRM technology and its capabilities.
Collection of consent data and responses to data removal requests should be designed and implemented as if they were their own marketing campaign.
While your firm may not feel the need to implement such a strategy now or in the short-term future, it will pay to begin consideration now — and that preparation will save considerable time and money when needed.
Key takeaways:
- More data protection legislation is almost a certainty in the United States, at both a state and federal level.
- Your company needs to review how core CRM and other connected systems within your business process private individuals’ data and how swiftly you can respond should they ask for it to be deleted.
- The cost of compliance with new data protection legislation – when it arrives – could be considerable if you’re using a CRM system not designed to ease processing data removal tasks.
- It is worth treating such requests as a standalone marketing campaign, one that works in reverse — and drawing up an action plan before your company faces data protection requirements.