Enough with the doom and gloom about GDPR compliance. Let’s explore how this change represents a chance to enrich customer relationships and brand loyalty.
You probably know someone who has lost sleep over the compliance gauntlet that is the EU’s upcoming General Data Protection Regulation (GDPR). Maybe you have lost some sleep yourself.
Yes, the fines are steep. Yes, there’s not much time left before their enforcement begins on May 25th.
And, oh yes, there’s an opportunity for competitive advantage in there.
How? In the process of complying with the GDPR, subject organizations (i.e. most likely your employer) have the chance to meet and surpass their customers’ rising expectations.
Meet your new leverage points: your customers’ rising expectations
Passwords are on the way out. You know the reasons why. The sooner you move away from using them in your customers’ authentication process, the better.
Customers want an authentication experience as easy and flexible as the rest of their brand interactions. If they can order coffee on their Starbucks app or deposit a check remotely on their bank's app, the thinking goes, why can’t their device be used to authenticate them?
Finally, your customers expect you to protect their data from breaches and fraud. Not only is it the right thing to do, it’s an expectation that is being formally recognized and imposed by governments around the world.
Cue the GDPR. Among the regulation’s many requirements, subject organizations will have to minimize the amount of personal data they collect, and should "pseudonymize" that data so that if (or when) it’s breached the data is still protected.
I used the phrase "opportunity for competitive advantage" earlier. Let’s explore how innovative brands can leverage the above circumstances for their benefit.
How innovative brands are seizing the advantage
If passwords are out, what’s in? Biometrics? Bluetooth proximity? PIN or circle codes? Only one group can answer this question definitively: your customers. It’s their data. So, allow them to choose the authentication method they’re most comfortable using.
This delivers a couple of big benefits for companies serving many demographics. First, they can add authentication methods as they gain acceptance in the market. Second, leaving the choice to consumers helps adoption. Finally, this approach can be layered on top of existing infrastructure. Brands can achieve a much higher level of assurance—and support their compliance efforts—without having to rip and replace their existing systems.
Now, you might be wondering, “How do you deliver on consumers’ desire for ease and flexibility across all channels?”
First step: keep authentication in your application with a lightweight white-label SDK. Don’t send users out of band to a third-party authenticator. You and your customers will appreciate the continuity.
This approach allows you to maintain consistency in the user’s experience, preserve brand equity, and consolidate the number of authentication systems your InfoSec team has to maintain.
Finally, let’s tackle customers’ expectations that brands protect their personal data, a core tenet of the GDPR (and the PSD2, and the 23 NYCRR 500). Authentication credentials are one of the most attractive targets for attackers. Compromise those, and you can take over users’ accounts and wreak all sorts of havoc.
To date, the headlines have been full of examples of organizations that have stored sensitive data in one centralized—usually unencrypted—location. Attackers have only needed to breach this single point to gain access to the entire credential store.
On May 25th, the consequences of such a breach will expand beyond damage to consumer trust and brand reputation to include those sleep-sapping fines mentioned earlier.
Cue local credential storage. By storing credentials locally on the user’s device, you significantly reduce your attack surface. To gain access to every user’s credentials, those same attackers must now locate and breach every individual user separately. Bonus: this helps to protect the rights of individuals and your business from the possible repercussions of a data breach.
Curious about the details? Download our free eBook “Multi-factor Authentication for Dummies”.
From compliance nightmare to customer experience strategy
GDPR has brought about an inflection point in the way organizations engage with their customers. It’s causing the traditional boundaries between security and customer experience to blur. For many of those who work in organizations subject to the GDPR, this change represents a paradigm shift.
It’s no less of an inconvenience for those who work at innovative brands. But already they’re working on meeting their customers’ rising expectations while meeting their compliance obligations.
They’re probably sleeping better, too.
