Could you give me an overview of Pega’s compliance journey?
It’s an interesting question. One of the things that we learned early on, was that there was a bit of misconception regarding the GDPR. Ultimately, we discovered that it impacts most of our customer base. The GDPR legislation comes out of the EU and its governing body, but it impacts any company, anywhere in the world, that touches an EU resident’s data. If you’re any large enterprise or multinational you will most likely have data belonging to an EU resident – so you are impacted.
Once Pega realised this was there a concern from the board regarding the GDPR – was it treated as a high priority issue?
Pega took it very seriously, and we are compliant as a company in the way we do business, and the way we treat customer data. But what we focused on in the greater market sphere, in addition to that, was is there a role we can play in other businesses compliance journey, with the types of technology that we bring to bear? We discovered early on that all the things we’ve been building over the last few years happen to be perfectly suited to help businesses achieve compliance.
The GDPR is interesting. One of the things we discovered is that most businesses tend to have very different interpretations of what compliance actually means for the GDPR and it’s articles. On top of that, organisations IT systems, ecosystems and types of database are all different. What became evident is, it’s not whether you have an out-of-the-box solution, because all the interpretations of what it means to comply are different, and it’s not whether you have a single system, because many of the companies around the world have pieces of it already in place, but nothing in the centre to orchestrate it. So, we discovered it’s not whether you have a system, but a system to manage the systems. And that’s exactly what we have at Pega with our technology for a concept that’s called ‘dynamic case management’.
Obviously you have lots of clients who process EU citizen data. Is there an issue if these companies struggle with achieving compliance?
The short answer is not exactly. The reason is that software itself can’t be compliant, it’s the business that has to comply. There are slight exceptions with businesses that are processors of customer data, such as in a cloud environment. But, the software applications themselves – it’s more that the business has to figure out how to comply with their use of data across the software applications they own.
What it means to comply is not for a software vendor to determine. It’s up to that business to devise their own interpretation of what they view compliance to mean per the various articles in the GDPR, and what it would take to implement that type of compliance across their infrastructure.
So if one of your clients failed to achieve an acceptable level of compliance, would it affect your relationship with them?
We always want our accounts to be compliant, and we always want them to do what is right for themselves and their customers. So, we would encourage any of our customers to make sure to put in place strategies necessary for compliance, and we’re happy that our technology can help accelerate that journey.
Over the last 24 months, did the GDPR impact any of Pega’s strategies?
We discovered that the capabilities we have today can help organisations accelerate their compliance already. But, it gave us inspiration to do more. And, one of the things we’ve done with Pega Infinity, which is our latest offering, is we’re including new capabilities that can make it even easier to configure and set up a compliant environment that encompasses a business’ interpretation of it in software.
Do you see the new regulation as an opportunity for businesses?
We do. We think the companies that will succeed are the companies that take compliance seriously. If you think about it just as a compliance issue or headache that you have to deal with, then it’s going to be headache and it will impact your bottom line.
>See also: Creating a culture of GDPR compliance
If you treat it as an opportunity to get a better understanding of your customer data, but also make better use of customer data, and build better trust and transparency with customers, then you turn the corner into competitive advantage.
Can you conclude with this idea of the GDPR as a journey?
The GDPR is a journey. And, unfortunately, most businesses aren’t going to solve the issue of compliance overnight. My recommendation is to: Have a plan – to create a process even if you’re wrong is important: Define what you think compliance means, document that strategy, make sure you work according to that strategy and then make sure that you have a way to prove you did it in all cases. This is easier said than done, but that’s what you have to do to prove that you’ve complied.
We expect over the next few months and years for this legislation to be tested. Businesses will change their strategies over time as they learn more, which is why it is a journey.
Finally, do you think some businesses will really struggle in this post-GDPR landscape?
Absolutely. I think, ultimately, with the GDPR even if you just consider the right to access part of it, businesses have to show the data they have from an individual, but also data they have acquired from third parties. Many businesses will be scared to tell their clients everything they have. It will be like showing their poker cards, and what it requires is a new way of thinking: How do you put the customer first, how do you treat their data with the right process and the right use that you think they would appreciate versus what you might be nervous about.