Esther Labrie is language specialist and DQ content manager at Quadient. Joining the company in 2010, Esther specialised in upcoming themes in online marketing like e-commerce, multi-channel and Big Data. Esther creates content for the DQ market and focusses on building a bridge between online marketing and customer centric selling. She enjoys music and literature and likes to spend time with friends and family.
Quadient receives and answers a lot of questions about the GDPR that other vendors aren’t always able to answer. “What is an end-to-end solution for GDPR, and does my organization really need it?” is the most frequently asked question. This blog will answer that question for you. In order to do so, we’ll start by taking a look at one of the most important consumer rights: to know which personal data has been stored.
Subject Access Request
Probably the most fundamental right that the GDPR established is that a consumer is entitled to know what personal data has been stored. They can find this information by submitting what the GDPR calls a Subject Access Request (SAR). Upon receipt, you are obligated to tell them what data pertaining to them has been stored in your systems. From the customer’s perspective, an SAR seems simple. They submit the request via your website, for instance, and they’re done. On your end, however, many things need to happen. First you check whether they are a valid customer and then you set about gathering all the data from your disparate system. If you don't have a single view of your customer's data those activities take time (and money) and involve many parts of your organization. And if you do it manually, how will the request be managed and tracked? What procedures are in place to avoid phishing? It's all about policies and procedures, which should be streamlined in order not to overburden your organization when the SARs come pouring in.
SARs have to be answered within thirty days. Without Golden Records, it could take you days just to collect all the data from your storage systems, check it and generate a report. If you only have one request that’s not a problem, but ten requests a month will make it a burdensome job, particularly for IT who will need to answer questions like: What data do we have? Where is it stored? What should be kept and for how long? Can change events be automated?
How does it work?
The way this plays out if you’re using Quadient’s GDPR solution is that the customer, we’ll call him Frank, makes a request. He fills in a form on your website with his details; birthday, address, email. As soon as he clicks submit, the request is sent to our solution, which immediately sends a notification that the request has been received. “Dear Frank, thank you for your request. We will respond within thirty days.” Frank knows you’ve received his request and will take care of it. He is having a positive customer experience.
Internally, within the solution, Frank’s request has generated a ticket. A data privacy employee or compliance officer may supervise the request and handle it manually, but our solution makes the process automatic. Frank is found as a unique customer in two source systems, so the data from the two source systems is collected. We then deliver the data to the CCM part of our GDPR solution to fill in the answer that needs to be sent. Within one or two minutes, Frank has a response to his Subject Access Request.
Along with Frank’s specific information, the GDPR requires you to provide a lot of information in response to an SAR: your company details, legal information, how to request rectification and deletion, data controller rights, contact details, etc. Our solution not only allows you to create a template to combine all the information, but it works across all the different channels.
You may want an optional approval process, perhaps there is a compliance analyst who checks the report generated by the solution. If they think something needs to be changed, they can edit the report, store it, and then send it to a reviewer or supervisor. The data privacy officer can then check the response as well and once approved, send it on to the consumer. When you involve all the stakeholders in the process, you eliminate risk and ensure compliance.
With Quadient, you have clarity as to where and what personal data exists because it has been consolidated from disparate systems into a single customer view. We provide a standardized, simplified, and automated process. You can build an entirely automatic approval process or insert manual intervention to answer SARs in a timely and comprehensive fashion, and report on the activity to interested parties. And we make sure that communication to consumers is automated for all channels, based on a single template. With our end-to-end solution you will satisfy the requirements of the GDPR and improve the customer experience as well.
Do you want to learn more about GDPR compliance in relation to data management and customer communication management? Grab your copy of this free white paper here: “GDPR: Where there’s risk, there’s reward”.