GDPR (in force since May 25, 2018) has brought many non-EU companies into a pro-active position regarding data protections, there is an even more challenging regulation waiting in the wings -- ePrivacy Regulation or ePR for short.
According to Information Management, "It is intended to provide a single digital data privacy framework under which all companies doing [any] business with EU residents [including a single customer online] must conform, and the penalties are similar to those enforced under the GDPR."
This covers communications data, metadata, telecommunications, online advertising, and the InternetOfThings. As Lisa Loftis notes in the Information Management article, "Another question concerns how to manage the specific consent requirements in today’s high-volume, real-time analytic environments needed for customer experience initiatives. And the big elephant in the room - a significant change to the many on-line businesses that rely on advertisers to provide free services (social media, paid search, etc.)....It is unclear where ePR will land in terms what types of IoT data will eventually be covered, what consent will be needed and what processing can occur. This is an area of significant concern, and many industries are weighing in and watching closely."
For the entire article see http://bit.ly/2KvQswX
Tuesday, July 03, 2018
Tuesday, February 27, 2018
Systems Selection and Implementation Timeframe
If you have outgrown your current order management and fulfillment system and/or you are planning to implement a new eCommerce platform, you typically need at least 17 months to undertake this process.
Preparation
Month 1 — Most companies, no matter how small, don’t wake up one day and suddenly decide to start looking for a major new enterprise system. There are as many scenarios as there are multi-channel merchants. But essentially, one or more managers will share their frustration with the current systems they are using, and jointly come to the conclusion that the company should at least explore what’s available, what the costs of a new system are likely to be, and what the likely ROI is, based on some assumptions about improved efficiencies, better marketing tools, more flexible fulfillment, more dynamic customer database management, and so on. Included in this pre-project month is some initial consideration of who should be involved on a “Project Team” to shepherd the systems project through to completion. (Don’t forget, the team members already have “full-time” jobs!)
Needs Analysis
Month 2 — You should allow one month for a thorough Needs Analysis. The actual work will take less than a full person-month, but the Project Team will need to schedule half-day meetings with representatives from each major department: the call center, customer service, inventory management, fulfillment, purchasing, accounting, marketing, merchandising, and other relevant entities (like the Board of Directors). The notes from these meetings will need to be shared, revised, shared again, and finalized. While this can be done much more quickly than a month, if you are undertaking this project entirely on your own in-house, a month is a realistic period of time.
This is partly because you don’t know starting out what ground you will have to cover. You many want to consider a battery of optimized solutions for:
Request for Proposal
Month 3 — Once you have sign-offs on all the requirements you have determined from all of the managers or departments involved, you will need to produce a formal, written Request for Proposal (RFP) that defines in detail what you would like the new system(s) to be able to do (see the Services page in this Website). Again, this is something that can be done in a couple of weeks, but most companies don’t do RFPs very often, so allowing a month for this is realistic. This includes getting input from everyone who participated in the Needs Analysis, making revisions, and finalizing the document.
Vendor Identification
Month 4 — Once you know what type of system or systems you are looking for, you can undertake a thorough search for vendors who are likely to have solutions that will address or meet your needs and requirements. Please contact us at ernie@schell.com if you need help finding the types of software vendors you are looking for. (This assumes you are not going to program the system yourself in-house, which is a two- to three-year project — minimum!) Five to ten candidates for each type of system is a good number (more than that and you are just “fishing”).
RFP to Vendors
Month 5 — You should give the vendors/solution providers a month to submit a formal proposal based on your RFP.
Evaluate Proposals
Months 6-7 — You will need a month to evaluate vendor proposals, check on references, eliminate the clearly unqualified candidates, and get Web demos from the vendors on your “short list.” That will take a full month, at least. After the Web demos, you should develop a final list of just two or three of the best qualified candidate vendors, and have them come on site for day-long demos and discussions. Allow a month for this, as well.
Contract Negotiations
Month 8 — Once you have selected the vendor(s) you will be working with, allow at least a month (and December is a “short” month, with the last week basically written off…) for contract negotiations. This is something that your CFO and your legal team will be working on along with your CEO and maybe your COO. Give the lawyers at least two weeks to finalize everything (and the vendors’ lawyers may need at least that much time, if not more).
System Implementation
Months 9 – 14 — You need to allow AT LEAST six months for this phase. I’ve seen it take 9 – 12 months or even 18 months, so this is definitely the minimum time required to do data conversion, make any necessary modifications in the systems you will be implementing, and set up the configuration you need to support your business.
Testing
Month 15 — Once everything is set to “go,” you need to spend at least a month in very rigorous testing to find any bugs or problems with the new system(s) you will be moving to in the near future. The testing should be done using detailed business case scenario scripts which you can be producing during the implementation phase.
Debugging/Training
Month 16 — Allow a month to have the vendor(s) debug and correct problems that you discover during the testing phase. There can be dozens, if not hundreds, of such issues, and your Project Manager needs to monitor the correction of each one of them.
This is also the time when you will do your training of everyone who will be using the new system. Some of this training will take place at your site, and typically some of it will take place at the vendor’s site, depending on the type of user and the type of training (even if you use a “train the trainers” approach).
Go Live!
Month 17 — One word of advice: Schedule it for mid-week, so users have a chance for last-minute training to become better adept at using the new system(s).
And there you have it! Marketing Systems Analysis would be happy to work with you on any or all of these phases (probably saving you a lot of time and trail-and-error in the process). Specifically, turn to us for:
Short-Term… or Long-Term
We are available for a short-term or long-term commitment to help you specify, select, and implement new multi-channel solutions. We also believe “if it ain’t broke, don’t fix it!” We will help you identify what you are doing right as well as what needs fine-tuning and what could benefit from a more comprehensive overhaul. But don’t delay– the biggest mistake you can make is complacency, followed by procrastination (or denial).
Preparation
Month 1 — Most companies, no matter how small, don’t wake up one day and suddenly decide to start looking for a major new enterprise system. There are as many scenarios as there are multi-channel merchants. But essentially, one or more managers will share their frustration with the current systems they are using, and jointly come to the conclusion that the company should at least explore what’s available, what the costs of a new system are likely to be, and what the likely ROI is, based on some assumptions about improved efficiencies, better marketing tools, more flexible fulfillment, more dynamic customer database management, and so on. Included in this pre-project month is some initial consideration of who should be involved on a “Project Team” to shepherd the systems project through to completion. (Don’t forget, the team members already have “full-time” jobs!)
Needs Analysis
Month 2 — You should allow one month for a thorough Needs Analysis. The actual work will take less than a full person-month, but the Project Team will need to schedule half-day meetings with representatives from each major department: the call center, customer service, inventory management, fulfillment, purchasing, accounting, marketing, merchandising, and other relevant entities (like the Board of Directors). The notes from these meetings will need to be shared, revised, shared again, and finalized. While this can be done much more quickly than a month, if you are undertaking this project entirely on your own in-house, a month is a realistic period of time.
This is partly because you don’t know starting out what ground you will have to cover. You many want to consider a battery of optimized solutions for:
- order entry/customer service
- eCommerce/mCommerce/fCommerce
- affiliate management
- shopping site feeds/integration
- payment processing
- demand forecasting
- purchasing/procurement
- inventory management
- item personalization
- fulfillment
- back-order management
- drop-shipping
- customer database analysis
- Producing a Request for Proposal (RFP)
Request for Proposal
Month 3 — Once you have sign-offs on all the requirements you have determined from all of the managers or departments involved, you will need to produce a formal, written Request for Proposal (RFP) that defines in detail what you would like the new system(s) to be able to do (see the Services page in this Website). Again, this is something that can be done in a couple of weeks, but most companies don’t do RFPs very often, so allowing a month for this is realistic. This includes getting input from everyone who participated in the Needs Analysis, making revisions, and finalizing the document.
Vendor Identification
Month 4 — Once you know what type of system or systems you are looking for, you can undertake a thorough search for vendors who are likely to have solutions that will address or meet your needs and requirements. Please contact us at ernie@schell.com if you need help finding the types of software vendors you are looking for. (This assumes you are not going to program the system yourself in-house, which is a two- to three-year project — minimum!) Five to ten candidates for each type of system is a good number (more than that and you are just “fishing”).
RFP to Vendors
Month 5 — You should give the vendors/solution providers a month to submit a formal proposal based on your RFP.
Evaluate Proposals
Months 6-7 — You will need a month to evaluate vendor proposals, check on references, eliminate the clearly unqualified candidates, and get Web demos from the vendors on your “short list.” That will take a full month, at least. After the Web demos, you should develop a final list of just two or three of the best qualified candidate vendors, and have them come on site for day-long demos and discussions. Allow a month for this, as well.
Contract Negotiations
Month 8 — Once you have selected the vendor(s) you will be working with, allow at least a month (and December is a “short” month, with the last week basically written off…) for contract negotiations. This is something that your CFO and your legal team will be working on along with your CEO and maybe your COO. Give the lawyers at least two weeks to finalize everything (and the vendors’ lawyers may need at least that much time, if not more).
System Implementation
Months 9 – 14 — You need to allow AT LEAST six months for this phase. I’ve seen it take 9 – 12 months or even 18 months, so this is definitely the minimum time required to do data conversion, make any necessary modifications in the systems you will be implementing, and set up the configuration you need to support your business.
Testing
Month 15 — Once everything is set to “go,” you need to spend at least a month in very rigorous testing to find any bugs or problems with the new system(s) you will be moving to in the near future. The testing should be done using detailed business case scenario scripts which you can be producing during the implementation phase.
Debugging/Training
Month 16 — Allow a month to have the vendor(s) debug and correct problems that you discover during the testing phase. There can be dozens, if not hundreds, of such issues, and your Project Manager needs to monitor the correction of each one of them.
This is also the time when you will do your training of everyone who will be using the new system. Some of this training will take place at your site, and typically some of it will take place at the vendor’s site, depending on the type of user and the type of training (even if you use a “train the trainers” approach).
Go Live!
Month 17 — One word of advice: Schedule it for mid-week, so users have a chance for last-minute training to become better adept at using the new system(s).
And there you have it! Marketing Systems Analysis would be happy to work with you on any or all of these phases (probably saving you a lot of time and trail-and-error in the process). Specifically, turn to us for:
- a systems audit and evaluation of resources currently in place
- strategic planning for improving your presence in each sales channel
- assisting in the Needs Analysis and producing the RFP (we’ve done over 240 of them!)
- streamlining order management
- warehouse facilities and fulfillment assessme
- optimizing of inventory management practices
- user training evaluation and refresher training
- on-site and consultative optimization of all operations and systems for order management, inventory management, eCommerce, and mCommerce
Short-Term… or Long-Term
We are available for a short-term or long-term commitment to help you specify, select, and implement new multi-channel solutions. We also believe “if it ain’t broke, don’t fix it!” We will help you identify what you are doing right as well as what needs fine-tuning and what could benefit from a more comprehensive overhaul. But don’t delay– the biggest mistake you can make is complacency, followed by procrastination (or denial).
Tuesday, January 23, 2018
Are you compliant with the General Data Protection Regulation (GDPR) Requirements?
European businesses have been aware for some time that beginning in May 2018 they must be compliant with the General Data Protection Regulation, which protects customer data when it is handled by those who collect it ("Controllers") and those who "Processors" who manipulate that data on behalf of Controllers.
Surveys reveal, however, that only 25 percent of U.S. companies believe the regulation applies to them. That misconception could cost them up to four percent of global revenues or €20 million (approximately $24.5 million), whichever is greater.
To drive home the point: if you have ANY customers who reside in or have their businesses located in the European Union, you are obligated to be complaint with the GDPR. There is no threshold for this, such as more than one percent or five percent or ten percent of your customers reside in the EU. Technically, if even one customer resides there, or you process credit card data there, the GDPR applies to you.
If businesses collect or process any personal data of EU residents, they have to follow strict rules such as reporting any data breaches within 72 hours of occurrence, getting consent from customers before collecting personal data, and offering customers the ability to request all of their records be deleted.
And here's an important wrinkle -- the GDPR applies to EU citizens even if they are not residing in the EU. That means eCommerce platforms will have to ask each new customer if they are EU citizens, and will have to include those who have become EU citizens after they already already part of your customer base.
One of the key components of GDPR is the way it governs data breaches, giving companies just 72 hours to notify users if their personal data has been compromised.
An article in Information Week summarizes what action to take to establish compliance. In brief, these are:
1. Determine if you’re a controller or a processor.
2, Audit your data to make sure you get a "single view" of each customer (because you may have customer data stored in more than one place).
3. You will need to appoint a representative for your company who is established in your EU supervisory country. This person is the point of contact for all communications with the GDPR supervisory body.
4. "If required, appoint a Data Protection Officer. Not all organizations need one, but given the vastness of the compliance requirements, it may be wise to have one. Make sure this person has the expertise you need."
5. "Data subjects will need to check a box (or its equivalent) for every single use-case you have for their data. This includes profiling and big data purposes. They need to be able to select those they agree with and decline those they don’t, and you need to be able to comply and track their preferences in your systems."
6. Audit third-party providers to make sure they are compliant in their service-level agreements.
7. "Consider where your data centers should be. Some companies are moving data centers to the EU to comply; some cloud-based database providers are able to easily discern and segregate EU data for you."
And if you won’t be 100-percent ready by May? Be sure to documentin all actions taken to build and implement your GDPR compliance framework. This will help provide evidence of your strategy and good faith for the regulators. GDPR is not demanding perfect privacy and security. According to Daniele Catteddu in another Information Week article, it’s asking for a risk-based approach to privacy.
Here's another Information Week article that provides a slightly different perspective.
Finally, says Ed Addario in yet another Information Week article, "Because of the complex system upgrades and internal process changes required for GDPR compliance, it’s safe to say that the shift will feel like a burden for IT, legal and HR teams at first. However, I see GDPR as a dose of tough love for organizations both inside and outside the EU. It serves as a forcing function for companies to modernize their data management systems, while improving how they communicate with, and relate to, their customers."
P.S. As Julie Hunt of juliehuntconsulting.com observes, "Third parties are extensive: payroll, marketing/digital agencies, anything SaaS, website/eCommerce management services, and so on. One phrase sticks with me: even though organizations may be controllers or processors, it's best that every org approach compliance as a data controller."
And - "US orgs are better served if they simply adopt GDPR as the 'gold standard' instead of fooling themselves into trying to manage data piecemeal, based on different regional regs. Way less mess & wasted time."
Surveys reveal, however, that only 25 percent of U.S. companies believe the regulation applies to them. That misconception could cost them up to four percent of global revenues or €20 million (approximately $24.5 million), whichever is greater.
To drive home the point: if you have ANY customers who reside in or have their businesses located in the European Union, you are obligated to be complaint with the GDPR. There is no threshold for this, such as more than one percent or five percent or ten percent of your customers reside in the EU. Technically, if even one customer resides there, or you process credit card data there, the GDPR applies to you.
If businesses collect or process any personal data of EU residents, they have to follow strict rules such as reporting any data breaches within 72 hours of occurrence, getting consent from customers before collecting personal data, and offering customers the ability to request all of their records be deleted.
And here's an important wrinkle -- the GDPR applies to EU citizens even if they are not residing in the EU. That means eCommerce platforms will have to ask each new customer if they are EU citizens, and will have to include those who have become EU citizens after they already already part of your customer base.
One of the key components of GDPR is the way it governs data breaches, giving companies just 72 hours to notify users if their personal data has been compromised.
An article in Information Week summarizes what action to take to establish compliance. In brief, these are:
1. Determine if you’re a controller or a processor.
2, Audit your data to make sure you get a "single view" of each customer (because you may have customer data stored in more than one place).
3. You will need to appoint a representative for your company who is established in your EU supervisory country. This person is the point of contact for all communications with the GDPR supervisory body.
4. "If required, appoint a Data Protection Officer. Not all organizations need one, but given the vastness of the compliance requirements, it may be wise to have one. Make sure this person has the expertise you need."
5. "Data subjects will need to check a box (or its equivalent) for every single use-case you have for their data. This includes profiling and big data purposes. They need to be able to select those they agree with and decline those they don’t, and you need to be able to comply and track their preferences in your systems."
6. Audit third-party providers to make sure they are compliant in their service-level agreements.
7. "Consider where your data centers should be. Some companies are moving data centers to the EU to comply; some cloud-based database providers are able to easily discern and segregate EU data for you."
And if you won’t be 100-percent ready by May? Be sure to documentin all actions taken to build and implement your GDPR compliance framework. This will help provide evidence of your strategy and good faith for the regulators. GDPR is not demanding perfect privacy and security. According to Daniele Catteddu in another Information Week article, it’s asking for a risk-based approach to privacy.
Here's another Information Week article that provides a slightly different perspective.
Finally, says Ed Addario in yet another Information Week article, "Because of the complex system upgrades and internal process changes required for GDPR compliance, it’s safe to say that the shift will feel like a burden for IT, legal and HR teams at first. However, I see GDPR as a dose of tough love for organizations both inside and outside the EU. It serves as a forcing function for companies to modernize their data management systems, while improving how they communicate with, and relate to, their customers."
P.S. As Julie Hunt of juliehuntconsulting.com observes, "Third parties are extensive: payroll, marketing/digital agencies, anything SaaS, website/eCommerce management services, and so on. One phrase sticks with me: even though organizations may be controllers or processors, it's best that every org approach compliance as a data controller."
And - "US orgs are better served if they simply adopt GDPR as the 'gold standard' instead of fooling themselves into trying to manage data piecemeal, based on different regional regs. Way less mess & wasted time."
Subscribe to:
Posts (Atom)