Are subscription businesses ready for GDPR?

Are subscription businesses ready for GDPR?
The General Data Protection Regulation (GDPR), which aims to strengthen data protection and harmonise data regulations in the European Union, will have a significant impact on subscription-based businesses. But are these businesses primed for this milestone regulatory change? Shashank Venkat explores

The European Union’s General Data Protection Regulation (GDPR)  which comes into effect May 2018 onwards will fundamentally alter the way business is done in Europe and beyond. GDPR aims to strengthen the data protection laws in the region, replacing the age-old Data Protection Directive. However, this regulation presents significant challenges for subscription-based businesses which deal with large amounts of user data, some of which may even fall under the red zone of Personally Identifiable Information. Needless to say, subscription businesses that operate in Europe or have customers in the region need to start taking concrete steps towards GDPR compliance right now.

While many subscription-based businesses have put in place some privacy procedures over the years, GDPR mandates compliance with much stricter data protection legislation and threatens to pose hefty fines on violators. In fact, breach of these regulations may attract penalties of up to €20 million or 4% of total worldwide turnover! This will put a tremendous amount of pressure on subscription businesses to stay compliant.

The key tenets of GDPR include privacy by design and default, data portability, data anonymisation, opt-in consent, right to be forgotten and notifications for data breaches, among other provisions. For subscription businesses, this will require a significant overhaul of operational processes to ensure compliance.

Unfortunately, many businesses worldwide have still not drawn up a concrete plan to comply with GDPR. Small and medium-sized enterprises are especially facing the heat in the wake of GDPR, and businesses are still unsure about the amount of work required to become GDPR compliant. However, companies will have to shed their hitherto casual approach towards privacy compliance if they are to escape the fines and liabilities when GDPR kicks in next year.

So, what should subscription businesses do for GDPR compliance? Well, the first thing to understand is that GDPR applies to any business that has subscribers in the EU and collects data from them. So, even subscription giants such as Netflix and Amazon will have to take steps to comply with this regulation. Secondly, subscription businesses need to map out the personal data being used by them. Many of these businesses have likely not paid too much detail and have stored subscriber data simply because there was no reason to delete it. It will be a good time to revisit these data sets and delete personal data for which there is no legal basis for storage.

Subscription businesses which are essentially data controllers will need to be more transparent about the data usage, and gain explicit opt-in consent from subscribers for use of personal data. In addition, businesses with subscription business models will also need to figure out whether they need to appoint a data protection officer. Any business that deals with regular and systematic monitoring of data subjects on a large scale will need to appoint a Data Protection Officer (DPO). The DPO may be someone from the staff or outside. The requirement of a DPO remains a highly debated subject among businesses. Since most subscription businesses use behavioural profiling of their data subjects, chances are that these businesses will need to designate a DPO.

Since privacy by design is a key provision of the GDPR, organisations will also have to invest in flexible architectures and subscription billing technologies that allow these provisions to fit in easily. Most subscription businesses rely on SaaS solutions, so not only do they need to ensure their systems are compliant, but that all their suppliers are too, particularly those based outside the EU who may not be switched on to the challenges of GDPR. Furthermore, companies will need to build robust incident response capabilities to ensure that they are able to notify data breaches within the stipulated time.

GDPR is a great leap towards digital transformation for subscription businesses. While the legislation may seem pro-customer and anti-business on the face of it, it will actually enhance the reputation of subscription businesses and increase the customer lifetime value as it calls for greater transparency. Clearly, subscription players who take action towards GDPR compliance now will be in a better position to leverage the opportunities offered by the growth and evolution of the subscription market.