The General Data Protection Regulation (GDPR) marks the biggest overhaul when it comes to data privacy laws in the last two decades. Already effective since May 2018 across European Union, GDPR binds 28 national legislations into a unified directive which mandates companies serving European consumers adhere to strict regulatory compliance to protect personal data. GDPR, along with the data protection bill, and 23 NYCRR 500, is expected to impact consumer-facing industries, especially telecommunications, prompting them to reorient their business processes, revamp governance mechanisms, followed by diversification of revenue streams. In fact, the sector has to be extra cautious, as sensitive customer data is a part of its core operations. With an ever-increasing risk of network breaches in the digital domain, it is imperative that telecom companies that offer services in the EU restructure the collection, storage, and analysis of massive customer data in the GDPR ecosystem.
GDPR: The key provisions
The European Union, being the unofficial global leader when it comes to data privacy protection, has recently given approval of the General Data Protection Regulation, imposing strict data privacy controls in relation to personal data of European citizens effective May 2018. In a nutshell, the GDPR incorporates the following areas:
- Penalties in the range of €20 million or 4% of global annual topline
- The principle of accountability: policies and procedures
- Information technology (IT) and cybersecurity
- Privacy impact assessments
- Privacy by design and default
- Mandatory data breach notification
- Specifics on big data and profiling
- Restrictions and requirements on exporting data outside Europe
- Right to be forgotten and erasure of data
GDPR is expected to have wider coverage than the current EU data privacy law and, once implemented, might result in fewer or even data privacy “free zones” across the world.
Telecom companies need to act fast
To ensure total compliance, telecom companies should thoroughly re-examine their business, including operation support systems (BSS / OSS) and even data management practices. However, the impact of data protection laws on telecom companies will be far greater than just the OSS/BSS.
Appointment of DPOs
The appointment of a Data Protection Officer (DPO) will be mandated for data controllers to ensure monitoring and processing. The concept of DPOs is already there in many countries and is regarded as a best practice. Post-GDPR, however, the appointment of one becomes mandatory for telecom companies regardless of their size.
ISPs will have to ensure that they store and use consumer information only with their explicit consent and when it is not easily linkable to a single individual.
Consumer consent is all set to determine the storing and processing data across the data processor supply chain. Carriers will be required to delete any personally identifiable information (PII) of individual subscribers upon their wish. Also, PII data sets should be made portable as a structured format and made available to users once requested.
Data stored for legitimate purposes will need to be separated from other data so that this data is not accidentally processed. There should be an appropriate legal ground and the purposes should not be mixed to avoid accidental processing of data.
Rigorous testing of customer-facing applications
Telecom companies will have to be on top of their game as far as data warehouses, business processes, reporting structures and even global third-party service providers are concerned. This will lead to an overall transformation of the data management processes, as well as system architectures of major carriers. Again, as encryption and anonymity of user data become critical across enterprise systems, mobile operators should extensively test front-end online applications to eliminate any risk of data breach. So strengthening in-house data processing mechanisms will become the key differentiator.
Implementation of a wide range of data management processes will not be an easy feat for telcos. Extensive planning, regular impact assessments, and adoption of new procedures are the only means to address this. These bottlenecks apart, telecom companies should revisit the existing strategies when it comes to cross-selling, up-selling, and customer outreach, based on a data-driven, personalized profiling of each customer.
Case study: GDPR impact on communication service providers
Let’s assume XYZ Comm is a telecom service provider. Here’s how GDPR will impact its business ecosystem in terms of customer data, supplier impact, and investment.
- Customer Data
XYZ Comm. would require to keep its European customers’ data in an electronic format and should be able to provide customers a copy of their data as and when they demand it.
- Supplier Impact
XYZ Comm. needs to ensure that its BSS/OSS providers are working in the direction of data compliance to adhere to these new regulations.
- Heavy Investment
Heavy investment is expected in order to be GDPR compliant in order to continue business activities in the EU.
- A surge in MSS business
As organizations become more compliant, XYZ Communications could expect a surge in sales of its Managed Security services (MSS) business in parts of Europe and US.
In order to comply with the GDPR, telecom companies providing services in the EU must incorporate a combination of top-down and bottom-up methodologies, with a meticulously designed, flexible compliance strategy, after identifying the pre-existing gaps in OSS, BSS as well as audit trails.
Netscribes market intelligence helps companies understand the impact of regulatory changes on their business and identify the opportunities they bring. To know more about the impact of GDPR on your industry, write to us at [email protected].