Now that much of the initial flurry and panic of GDPR compliance has settled a bit, many organizations are returning to “business as usual”, regarding GDPR as little more than a regulatory change and the need for a few more disclaimers on their website. However, organizations that view GDPR in that way may be missing out on the huge opportunities presented by the new approach to customer information, and new ways of communicating with customers about their data. Put simply, the EU deemed GDPR as necessary because more and more online services, apps, and sites have been collecting and capitalizing on customer data in more and more invasive and opaque ways, without clear and adequate disclosure. Therefore, GDPR puts rules in place that require customers to be opted out of data collection by default, and gives them the power to opt in if they choose. In practice, many websites have paid lip service to GDPR with a new set of disclaimers and pop up windows, and don’t seem to have actually made significant changes to their data collection or monetization procedures. While we haven’t yet seen what GDPR enforcement will look like, it’s reasonable to expect that there will be eventually penalties for complying with the letter, but not the spirit, of these regulations. Educated guesses estimate that we may start seeing these enforcement actions in February of 2019.
The Challenges of GDPR
Given recent data collection scandals, it is reasonable to expect that, when confronted with a direct, explicit choice, most customers will reflexively opt out of data collection procedures. This is why many sites continue to obscure these opt-ins by burying them in fine print and behind several links, fearing that clear and explicit dialogue will impact or impair their current procedures. And so far these fears appear to be holding true, with one marketing firm telling CNBC that they have lost 80% of their email contacts. Some organizations are instead relying on “soft” opt-ins, or posing Legitimate Interest arguments to continue their legacy procedures, but soft opt-ins (such as automatically subscribing a customer to a newsletter when they purchase an online product from you), and Legitimate Interest exceptions (non-consented data procedures that are necessary for a legitimate and lawful business interest that overrides the rights and freedoms of the data subject), are unlikely to be considered GDPR compliance when challenged.
The Opportunities of GDPR
The best way to move forward in a post-GDPR world is to instead embrace the spirit of openness and disclosure, and use it as a chance to engage more deeply with your customer. If you haven’t already, reconsider the specific data points you are capturing, and consider how those data points augment the customer experience. For example: Instead of “this app requires your location”, consider what customer-centered services location data enables. Communicate openly, with dialogue like “Access to your location information would enable this app to provide location-specific search results or reminders. Would you like that?” Instead of “Subscribe to our email list to stay up to date”, consider whether you should create multiple lists for multiple segments. Ask questions like “Would you like to get email notifications of sales and discounts?” You could even offer customers different frequencies of email subscriptions; perhaps they want to hear from you monthly instead of weekly. Instead of “May we use your demographic data for marketing purposes?”, consider specifically what data you are collecting and for what purpose. Consider language like “Would you like be notified of events for singles in your area/do you want to see what products other women enjoy/may we suggest services for people in your age group?”. Rethinking how you communicate with customers about their data not only invites them to actively participate in your marketing efforts, and gains clear and explicit compliance with GDPR, but builds priceless brand trust and credibility. GDPR may be a threat that challenges your existing way of doing business, or it may be a whole new way to build stronger and more meaningful customer relationships. The choice is up to you.
Lincoln’s Approach to GDPR
At Lincoln Recruitment, we’re happy to say our services were fully GDPR compliant by March 2018. This marked the end of a journey more than a year in the making. From the beginning, we made sure that everyone at each and every level of Lincoln, was aware of the importance of GDPR and the resources and time we’d have to dedicate to make sure we would be fully compliant. We came away with a cross-functional team of people, running the gamut from multiple functions including IT, legal, and marketing. In our offices in Dublin and Birmingham, we put into place a full on-the-ground effort to make every provision of GDPR a cornerstone of our business and wherever possible and evaluating all of our data flows and databases. Strangely enough, this wasn’t as difficult in practice as originally expected.
Customer trust is at the heart of everything we do at Lincoln and is an essential part of our core values. Every day, our clients and candidates trust us to be guardians of their data and, with a team of more than 30 consultants, we have worked hard to ensure our staff are fully up to speed on each and every one of the facets of this important regulation. This put us in a good position with regard to GDPR. Operationally, there hasn’t been much we’ve had to change. Instead, most of our efforts have centred around accountability and transparency across all touch points and building out data flow processes, reporting, and documentation that shows exactly where everything is, how’s it being used, and who has access to it.
Moving forward, I will serve as Lincoln Recruitment’s Data Protection Officer, making it my responsibility to ensure compliance with GDPR in all of our work. Together, we will work with our Information Security Officer, and a cross-functional team to continuously test our systems, processes, and reporting standards.
In our mission to bring clients and candidates together, we’ve always believed trust and transparency is the most important metric of success and one that both clients and candidates should consider in their selection of a recruitment consultancy, always. When it comes to building trust, security and privacy are critically important. At Lincoln Recruitment, this informs everything we do. In many ways, GDPR puts into law something which we, at Lincoln, have always believed: your information should be your own and you should always be in charge of how and when it is used. From giving the individual more protection of their data rights and to promoting a more harmonised privacy landscape, GDPR is a critical step forward and one that Lincoln Recruitment welcomes wholeheartedly.
If you have any questions about Lincoln Recruitment’s compliance with GDPR, please visit our privacy centre.
About the Author
Shay Dalton is the Managing Director of Lincoln Recruitment Group. Shay is a qualified ACCA Accountant with over 20 years’ experience specialising in the placement of senior positions across a broad spectrum of Accountancy and Finance positions within the industrial and financial services sectors. Having been involved in the establishment of some of the most respected financial recruitment brands in the Irish market, Shay subsequently set up Lincoln Recruitment Specialists in 2008. He also hold’s an MSc in Organisational Management and is a member of BPS, qualified to conduct and interpret psychometric testing as well an EQi testing.