The General Data Protection Regulation (GDPR) will go into enforcement on May 25, 2018. At Epsilon, May 25th is not the end date of compliance efforts, it is simply one marker in our overall compliance work. Data protection in general remains at the forefront of Epsilon’s operations.
The five major pieces Epsilon is implementing to ensure privacy and security remain key areas of focus are:
1) Privacy Steward Role. Each of Epsilon’s customized solutions and major platforms, such as Agility Harmony and Agility Loyalty, will have a Privacy Steward. Each individual is tasked with highlighting changes to the platform or individual client accounts that could be impacted by GDPR. For instance, if a new contractor is hired to analyze or support a brand client’s personal data, the Privacy Steward would be involved not only in selection of the vendor but also ensuring privacy-related protocol is followed throughout the contractual obligation. They are also charged with ensuring that vendors go through our existing due diligence process.
Through specialized trainings for Privacy Stewards, these individuals can spot any potential compliance issues and flag it with the GDPR team for further review of privacy, legal or security issues.
2) Annual data inventory/data mapping review. Epsilon will conduct a review of data inventory and maps on a yearly basis with the technology, business, security and privacy teams to ensure GDPR compliance.
3) Privacy and Security by Design. The privacy and security teams will continue to be brought into initial discussions and reviews of new products and services (before their launch) to ensure GDPR compliance. The Chief Privacy Officer will continue to sit in on major discussions on service changes or updates.
4) Continuing to innovate and integrate. Epsilon will continue to review and enhance its compliance program, with a goal of having privacy and security considerations weaved into every part of the business. This may mean creating innovative ways to be more transparent with its data collection and use. Deep knowledge of GDPR requirements and processes in all parts the organization will provide a more seamless, simplified approach to client operations.
5) Global informational roadshow. The GDPR cross-functional team will also be rolling out an internal roadshow across the United States and Europe starting in late May 2018. This series will ensure associates in all functions – from client services to solution architects to project delivery – understand Epsilon’s responsibilities under GDPR and have the proper tools, contacts and information regarding privacy and security considerations going forward. While GDPR has understandably resulted in some disruption for current clients due to new requirements, Epsilon wants to be prepared and knowledgeable for future clients, ensuring as little inconsistency as possible. The roadshow will allow internal associates to ask questions, understand how to speak to consumers and clients about GDPR and ingrain the correct processes through every part of operations.
Data protection principles are one of the most important pieces of Epsilon’s business. Epsilon’s business teams, engineers and associates will all play a part in compliance, recognizing that data protection and security is a collective responsibility. By ensuring that GDPR requirements are operationalized, there will be a consistent approach and response for clients and consumers going forward.