> UNLOCKING DIGITAL OPPORTUNITIES WITH 5G: A GCC OUTLOOK
1analysysmason.com
R E S E A R C H
OCTOBER 2018
REPORT
GDPR COMPLIANCE, AN OPPORTUNITY FOR TELECOMS OPERATORS TO DELIVER ENHANCED CUSTOMER EXPERIENCEAtul Arora and Justin van der Lande
GDPR compliance, an opportunity for telecoms operators to deliver enhanced customer experience | i
© Analysys Mason Limited 2018 Contents
Contents
1. Executive summary 1
2. GDPR, together with the e-Privacy Directive, has a significant impact on telecoms operators’
businesses 2
3. GDPR principles pose multiple challenges to telecoms operators’ systems and processes 3
4. Telecoms operators’ approach to complying with data privacy – best practices 5
5. Telecoms operators can leverage GDPR investments to deliver enhanced customer experience 7
6. Amdocs product description 8
About the authors 10
Analysys Mason’s consulting and research are uniquely positioned 11
Research from Analysys Mason 12
Consulting from Analysys Mason 13
List of figures
Figure 1: The GDPR opportunity [Source: Analysys Mason, 2018] ................................................................ 2
Figure 2: Key GDPR principles [Source: Analysys Mason, 2018] .................................................................. 3
Figure 3: How is customer data and consent collected, managed and processed? [Source: Analysys Mason,
2018] ................................................................................................................................................................. 6
Figure 4: Strategic scope of investments associated with GDPR [Source: Analysys Mason, 2018] ................ 7
Figure 5: Amdocs User Privacy Solution [Source: Amdocs, 2018] ................................................................. 9
GDPR compliance, an opportunity for telecoms operators to deliver enhanced customer experience | 1
© Analysys Mason Limited 2018 1: Executive summary
1. Executive summary
Telecoms operators in Europe are working towards implementing new systems and processes across their
businesses to ensure compliance with the General Data Protection Regulation (GDPR) that became applicable
on 25 May 2018. GDPR has implications for all operators that operate or serve users in the European Union
(EU) and hold or process the data of an individual. Moreover, similar regulations are being adopted in other
world regions. For telecoms operators, this means that any data that can identify an individual has to be obtained
with the explicit consent of the individual, and multiple consents are required if the data is needed for multiple
purposes. Telecoms operators and their suppliers are taking initiatives to ensure compliance with GDPR.
However, now that regulation is in force, the impact of both regulation and operation initiatives are becoming
clear, including both the challenges and the opportunities that such regulations offer to telecom operators.
Analysys Mason’s research, including primary interviews, highlights that operators across Europe are taking
initiatives to ensure compliance with GDPR. Leading operators across Europe have been vocal about their plans
to ensure full compliance with GDPR and have deployed data protection officers (DPOs) across their operating
properties. To ensure continued compliance, operators are enabling active participation of DPOs in discussions
relating to the launch of new products or services where customer data needs to be collected. Our research also
highlights that only a few operators are planning to extend their initiatives beyond the purpose of compliance –
that is, only a few operators are embracing this as an opportunity to transform the way their business is run, and
to develop a deeper relationship with their customers. To make the most of this opportunity, Analysys Mason
recommends that operators leverage technologies such as machine learning and artificial intelligence to
automate processes that will allow them to meet scalable demand from individuals and regulatory authorities.
GDPR compliance requires operators to invest in capabilities that allow them to process data at an individual
level. We believe that GDPR offers telecoms operators the opportunity to match the customer experience
benchmarks defined by leading digital-native players, extending the engagement to individual users of their
service, beyond the account holder (see Figure 1). Very few operators are doing this today, and this is an area of
significant promise.
Analysys Mason recommends that operators consider GDPR compliance as part of their wider business
transformation strategy. They should plan and implement new systems and processes to ensure compliance, and
envision and plan to leverage these investments as opportunities to deliver a richer customer experience.
GDPR compliance, an opportunity for telecoms operators to deliver enhanced customer experience | 2
© Analysys Mason Limited 2018 2: GDPR, together with the e-Privacy Directive, has a significant impact on telecoms operators’
businesses
Figure 1: The GDPR opportunity [Source: Analysys Mason, 2018]
2. GDPR, together with the e-Privacy Directive, has a
significant impact on telecoms operators’ businesses
The GDPR focuses on giving individuals control over their data in the data-driven digital economy, and makes
telecoms operators liable for compliance, with heavy fines being imposed for breaches. For all operators
operating in the EU, the regulation fundamentally changes the way they handle personal data, forcing them to
ingrain data management capabilities and systems into their way of operation. The consent of the customer is a
pre-condition to storing and processing their personal information. Operators need to implement processes and
systems that will enable them to comply with key principles of GDPR, such as the ‘right to rectification’1 and
the ‘right to erasure’.2
GDPR follows the e-Privacy Directive developed by the EU, which focuses on individual users’ privacy and
need for consent for any kind of electronic communication. The e-Privacy Directive has been adopted as
1 ‘Right to rectification’ includes the right of individuals to have any inaccurate personal data rectified or completed (if incomplete).
2 ‘Right to erasure’ includes the right of individuals to have personal data erased; this is also known as ‘the right to be forgotten’.
3.EXTEND
Assess current system
capabilities and
processes in place
GDPR:
An oppor tunity
for enhanced
customer
experience
Extend use of new
systems and processes
beyond compliance
to deliver
engaging
customer
experience
2. IMPLEMENT Deploy necessary systems and
processes, e.g. consolidating
customer data from
multiple systems
1. PREPARE
for compliance
with GDPR
GDPR compliance, an opportunity for telecoms operators to deliver enhanced customer experience | 3
© Analysys Mason Limited 2018 3: GDPR principles pose multiple challenges to telecoms operators’ systems and processes
regulatory law on a per-country basis across Europe, and every country or region has established local
authorities that are responsible for overseeing compliance with these regulations. For example, the Information
Commissioner’s Office (ICO) in the UK and Commission Nationale de l’Information et des Libertés (CNIL) in
France are responsible authorities.
While GDPR is broad in perspective and covers all businesses with operations in Europe, the e-Privacy
Directive specifically governs and restrains the handling of service provider data. For telecoms operators, this
means that in certain areas, adhering to the e-Privacy Directive overlaps with complying with GDPR. However,
to fully comply with GDPR, operators need to review their data management and data processing practices and
re-examine and review their existing business and operation support systems (BSS/OSS).
It is important to note that in addition to GDPR, other regions across the world are introducing their own data
protection and privacy laws. For example, Brazil recently adopted the General Data Protection Law, which is
modelled on GDPR.3 This means that operators and other businesses across the world will likely be required to
review their existing systems and processes to ensure they comply with their new local regulations.
3. GDPR principles pose multiple challenges to telecoms
operators’ systems and processes
Operators across European have taken steps to ensure compliance with the GDPR. However, to ensure continued
compliance, operators need to overcome the challenges related to their existing systems and processes and transform
their business models to adhere to GDPR principles. Figure 2 below highlights the key principles of GDPR.
Figure 2: Key GDPR principles [Source: Analysys Mason, 2018]
3 https://www.insideprivacy.com/international/brazils-new-general-data-privacy-law-follows-gdpr-provisions/.
Key GDPR
principles
Personal
data
management
Consent and
rights of data
subject
Data
protection
by design and
by defaultRecords of
processing
Data breach
and impact
assessment
DPOs
(data protection
officers)
GDPR compliance, an opportunity for telecoms operators to deliver enhanced customer experience | 4
© Analysys Mason Limited 2018 3: GDPR principles pose multiple challenges to telecoms operators’ systems and processes
From a systems and processes perspective, telecoms operators need to ensure they consider the following three
issues:
• Handling customer data
• Managing operational processes
• Addressing data subjects as individuals.
These three considerations are discussed in more detail below.
Handling customer data
Telecoms operators need to have complete visibility of the data that they hold on their customers. At present,
most of the data resides in individual systems, and operators may find it challenging to gain a holistic view of
the customer. Such a view will enable operators to assess the relevancy of data and adhere to the GDPR
principle of data minimisation. This principle mandates that operators identify and only hold the minimum
amount of data they require to fulfil the delivery of their service. Gaining an integrated, comprehensive
perspective of their customers is also important because GDPR requires operators to demonstrate their ability to
account for this data. However, the regulation clearly states that businesses with a defined purpose can hold the
data required to achieve this purpose.
Managing operational processes
In addition to deploying new systems and conducting comprehensive landscaping exercises on data, telecoms
operators need to review existing processes and adopt new ones where necessary. This is particularly important
when considering GDPR principles such as the ‘right to rectification’ and the ‘right to erasure’. Moreover,
operators need to define a clear purpose for collecting, processing and storing data, and be able to explain why
they need to hold certain data.
To meet these requirements, telecoms operators need to adopt a new way of operating their businesses, and new
processes. These processes could include, for example, the recording and continuous evaluation of the data
being processed. Telecoms operators need to adopt privacy impact assessment processes for any new products
and services that are expected to involve collection of data. They should also integrate data privacy and
governance officers into the fabric of their business, to ensure their continued compliance with GDPR.
Addressing data subjects as individuals
GDPR’s ‘management of data’ principle focuses on managing data at the level of the individual. GDPR
identifies an individual simply as a name, a number or as another identifier, such as an IP address or cookie
identifier. If operators are collecting such information, they are processing the data of individuals. This is a
major challenge for telecoms operators, as their current systems and processes are designed and configured to
focus only on the customer – the account holder who pays the bill – and not on all data subjects as individual
users of their service. To comply with GDPR principles, telecoms operators need to:
• understand the users of their service
• manage their data in a holistic manner
• meet the principles highlighted in Figure 2 above, including the ability to provide individuals with access to
this data when requested by authorities.
GDPR compliance, an opportunity for telecoms operators to deliver enhanced customer experience | 5
© Analysys Mason Limited 2018 4: Telecoms operators’ approach to complying with data privacy – best practices
4. Telecoms operators’ approach to complying with data
privacy – best practices
For telecoms operators operating in the European Union (EU), it has been vital to comply with the e-Privacy
Directive and GDPR. Operators hold large customer datasets and need to maintain the trust of their customers.
Since the announcement and adoption of GDPR in 2016 operators have therefore been assessing the
requirements and changes needed to their business processes, and underlying IT systems.
Analysys Mason research suggests that most operators have undertaken initiatives that ensure that they are
compliant with these regulations. In cases where there is customer demand to access the individual customer
data that operators hold, operators have also established standard procedures that they share with customers.
Operators such as Deutsche Telekom are enabling this through self-service portals.4 These portals ensure that
the customer has access to all the information that the operator holds on it, and that the customers will be able to
manage their consent proactively.
Operators are approaching GDPR and privacy requirements with varying degrees of focus
Analysys Mason research highlights that operators’ initiatives related to system and process changes vary in
terms of their objectives. For example, the majority of the operators surveyed (60%) suggested that their
primary objective for internal changes was to ensure compliance with the regulations. However, leading
operators such as Telefónica and Deutsche Telekom see these changes as an opportunity to go beyond
compliance – by leveraging new capabilities and processes to enhance the trust of their customers or
differentiate themselves by being open and transparent about how they process customer data. These operators
are looking to leverage the opportunity to enhance their customer engagement capabilities and deliver a rich
customer experience. They are also aiming to develop this in a self-service format, where possible.
Operators’ data protection and privacy departments will contribute to all product introductions and IT
system changes
Telecoms operators have now deployed data protection officers (DPOs) in their companies. Our research
highlights that it is very important that data protection and privacy departments should grow and develop. For
many operators, these departments have the authority to enforce changes where there are instances of non-
compliance.
Nearly 60% of the operators surveyed highlighted that their DPOs and privacy departments have defined a
standardised process for the company to follow in case of the introduction of any new system or product. This
process consists of rigorous steps to identify and assess the management of customer data in line with the GDPR
regulation. Business departments that require approval to implement a new system or introduce a new product
need to adhere to the process, and meet recommended requirements. This is to ensure that operators comply
with the GDPR principle of ‘data protection by design and by default’.
For example, in its survey response Deutsche Telekom mentioned that DPOs have been assigned to all its
operating units since 2004. In 2016, it launched a European-wide project that methodically assessed each
business unit for its readiness to comply with GDPR. This was followed by adjustments to underlying systems
where needed. In addition, Deutsche Telekom’s data privacy experts form part of all discussions relating to the
4 See https://www.telekom.com/en/company/details/data-transparency-514522.
GDPR compliance, an opportunity for telecoms operators to deliver enhanced customer experience | 6
© Analysys Mason Limited 2018 4: Telecoms operators’ approach to complying with data privacy – best practices
launch of products or systems within the business. This process is known within the company as the Privacy and
Security Assessment (PSA) process.
Managing customer consent and data is a work in progress
Most operators surveyed said that their customer data is placed across multiple systems within the company, and
that they do not have a consolidated view of the customer data or consent in place in a single system (see Figure
3). However, our research also shows that all operators were making progress towards consolidating customer
data or information on customer consent in a single system. Operators currently have standardised manual
processes in place that allow them to gather this information. But to reduce workload, they are consolidating the
information in a single location. While the primary objective of this activity is to ensure GDPR compliance,
operators expect to leverage this opportunity to further enhance their engagements with the customer.
Figure 3: How is
customer data and
consent collected,
managed and
processed? [Source:
Analysys Mason, 2018]
Telefónica, for example, has gained a holistic understanding of customer data and the consent in place under the
AURA platform, and intends to apply advanced analytics and automation technology to ensure continued future
compliance to regulations. In addition, Telefónica will leverage the platform to assess possible scenarios where
the data with consent can be used, to enhance customer engagement and experience, as well as to generate new
business use cases.
Operators today place limited consideration on moving beyond account holder data to managing data
subjects as individuals
Operators were surveyed on their ability to analyse and assess individual data. Most operators (80%) lacked the
ability to move beyond the customer, i.e. the individual who pays the bill. One of the operators mentioned that it
was in discussions with its local regulatory authority to gain clarity on its responsibilities in this regard, since it
only engages with the account holder. Another operator stated that it did not believe it needed to take action,
since it does not do profiling of these individuals.
Operators with businesses that includes advertising and marketing usually tailor their services to the individual,
and on many occasions leverage the cookie identifier or device IP address to market their offers. Under GDPR
principles, such actions would be classified as engaging with an individual.
20%
80%
0%
Exists across multiplesystems
Data consolidation tocentral system in
progress
Centralised system inplace already
GDPR compliance, an opportunity for telecoms operators to deliver enhanced customer experience | 7
© Analysys Mason Limited 2018 5: Telecoms operators can leverage GDPR investments to deliver enhanced customer experience
Operators therefore need to improve how they process this information to ensure that they are fully compliant
with the GDPR principles, and to be able to demonstrate to authorities that proper management and processes
are in place to handle such data.
5. Telecoms operators can leverage GDPR investments to
deliver enhanced customer experience
Telecoms operators across Europe have invested and are investing in new systems and processes to comply with
GDPR. However, they need to consider these investments as part of their broader transformation strategy, where
such investments also help to advance their business goals (see Figure 4). Analysys Mason sees an opportunity
for operators in the following areas of business:
• Extend investments to leverage artificial intelligence and machine-learning capabilities
• Re-design business processes to streamline operations and revamp business models
• Extend customer engagement beyond the customer (account holder) to the user.
These three opportunities are discussed in more detail below.
Figure 4: Strategic scope
of investments
associated with GDPR
[Source: Analysys Mason,
2018]
Extend investments to leverage artificial intelligence and machine-learning capabilities
To improve customer experience, telecoms operators need to gain a holistic view of the customer. They need to
better under customer journeys to meet customers’ demand for personalisation. To this end, operators that have
invested in consolidating their data to a single location can leverage the opportunity to apply advanced analytics
and machine-learning capabilities to process and manage data in a faster and regulated manner. Artificial
intelligence and machine learning can also help them process data to ensure adherence to GDPR principles of
relevance to business purpose as well as support the pseudonymisation of data.
In the same way that data authorities in the UK and France have reported a rise in the number of complaints,
telecoms operators can expect a large number of requests from their customers to access the data that operators
hold on them. Operators currently do not have the resources to handle such requests. Adopting advanced data
processing and machine-learning capabilities will enable them to process this information and make it readily
available to customers.
GDPR compliance, an opportunity for telecoms operators to deliver enhanced customer experience | 8
© Analysys Mason Limited 2018 6: Amdocs product description
Re-design business processes to streamline operations and revamp business models
Most telecoms operators today have a fragmented operational structure, where each department has adopted its
own way of operations. Transforming this culture under the umbrella of customer-centricity has been the biggest
hurdle for most operators worldwide. Continuous adherence to GDPR means that telecoms operators need to
bring together different departments (such as marketing, sales and customer service functions) to follow a
common set of procedures. Operators’ management teams can leverage these as an opportunity to re-design
their businesses in a way that aligns with their future vision.
Extend customer engagement beyond the customer (account holder) to the user
GDPR focuses on individual users – this is in contrast to telecoms operators’ focus on the account holder/the
customer. In Section 3 of this paper, we highlighted this as an important challenge for operators to ensure full
compliance with GDPR. To demonstrate adherence to the GDPR principle, telecoms operators need to
implement new systems and processes. These processes should enable operators to consolidate data and
information on individual users of their service, for example if a request is placed by an individual for data
access. We see this as an opportunity for operators to extend this investment, to further their engagements with
the users of the service. It will allow operators to better understand and process requirements of each individual
user of the service, enabling them to meet customer demands by focusing on the ‘segment of one’.
6. Amdocs product description
The Amdocs User Privacy Solution helps operators manage their user identities and gets them ‘systems ready’
for the challenges posed by GDPR and other global regulations.
Amdocs User Privacy
Powered by the Amdocs User Lifecycle Management® (ULM®) platform, the solution acts as a Privacy
Control Point within an operator’s Data Privacy Management solution. It provides consent management and
personal data protection across all operator connectivity and cloud services, to support their efforts to meet the
stringent requirements of GDPR and other global regulations.
ULM extends consent management and privacy control to every individual user, including minors, through a
privacy dashboard, and empowers them with the right to give, manage and revoke granular consents, control
what personal data is being collected, how it is being used and who they wish to share it with.
Amdocs User Privacy is an operator-centric solution that resides on top of existing back-end OSS/BSS systems,
through a rich API and process layer, enabling fast deployment and maximum agility (see Figure 5).
GDPR compliance, an opportunity for telecoms operators to deliver enhanced customer experience | 9
© Analysys Mason Limited 2018 6: Amdocs product description
Figure 5: Amdocs User Privacy Solution [Source: Amdocs, 2018]
GDPR compliance, an opportunity for telecoms operators to deliver enhanced customer experience | 10
© Analysys Mason Limited 2018 About the authors
About the authors
Atul Arora (Senior Analyst) is the lead analyst for the Digital Experience and Customer
Engagement programmes at Analysys Mason. He is focused on helping his clients to achieve
their customer experience objectives by narrowing down their business problems associated
with customer engagement across the customer lifecycle. His areas of interest include the
digital transformation of operators’ customer engagement functions (marketing, sales and
customer service), customer journey enablement and digital-first enablement. Atul also works
on custom projects for telecoms operators and vendors, which include delivering workshops, providing strategic
advisory and undertaking market assessment work. He holds an MSc in Neuroscience from University College
London and a bachelor’s degree from Jaypee University (India).
Justin van der Lande (Principal Analyst) leads the AI and Analytics research programme,
which is part of Analysys Mason’s Telecoms Software and Networks research stream. He
specialises in business intelligence and analytics tools, which are used in all telecoms business
processes and systems. In addition, Justin provides technical expertise for Analysys Mason in
consultancy and bespoke large-scale custom research projects. He has more than 20 years’
experience in the communications industry in software development, marketing and research.
He has held senior positions at NCR/AT&T, Micromuse (IBM), Granite Systems (Telcordia) and at the TM
Forum. Justin holds a BSc in Management Science and Computer Studies from the University of Wales.
This research and white paper was commissioned by Amdocs. Analysys Mason does not endorse any of the
vendor’s products or services.
5
5
Published by Analysys Mason Limited • Bush House • North West Wing • Aldwych • London • WC2B 4PJ • UK
Tel: +44 (0)20 7395 9000 • Email: [email protected] • www.analysysmason.com/research
Registered in England No. 5177472
© Analysys Mason Limited 2018
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means – electronic,
mechanical, photocopying, recording or otherwise – without the prior written permission of the publisher.
Figures and projections contained in this report are based on publicly available information only and are produced by the Research Division of Analysys Mason
Limited independently of any client-specific work within Analysys Mason Limited. The opinions expressed are those of the stated authors only.
Analysys Mason Limited recognises that many terms appearing in this report are proprietary; all such trademarks are acknowledged and every effort has been
made to indicate them by the normal UK publishing practice of capitalisation. However, the presence of a term, in whatever form, does not affect its legal status
as a trademark.
Analysys Mason Limited maintains that all reasonable care and skill have been used in the compilation of this publication. However, Analysys Mason Limited
shall not be under any liability for loss or damage (including consequential loss) whatsoever or howsoever arising as a result of the use of this publication by the
customer, his servants, agents or any third party.
GDPR compliance, an opportunity for telecoms operators to deliver enhanced customer experience | 11
© Analysys Mason Limited 2018 Analysys Mason’s consulting and research are uniquely positioned
Analysys Mason’s consulting and research are uniquely
positioned
Analysys Mason is a trusted adviser on telecoms, technology and media. We work with our clients, including
communications service providers (CSPs), regulators and end users to:
• design winning strategies that deliver measurable results
• make informed decisions based on market intelligence and analytical rigour
• develop innovative propositions to gain competitive advantage.
We have around 250 staff in 16 offices and are respected worldwide for the exceptional quality of our work, as
well as our independence and flexibility in responding to client needs. For over 30 years, we have been helping
clients in more than 110 countries to maximise their opportunities.
Consulting
• We deliver tangible benefits to clients across the telecoms industry:
‒ communications and digital service providers, vendors, financial and strategic investors, private equity
and infrastructure funds, governments, regulators, broadcasters, and service and content providers.
• Our sector specialists understand the distinct local
challenges facing clients, in addition to the wider
effects of global forces.
• We are future-focused and help clients understand
the challenges and opportunities that new
technology brings.
Research
• Our dedicated team of analysts track and forecast
the different services accessed by consumers and
enterprises.
• We offer detailed insight into the software,
infrastructure and technology delivering those
services.
• Clients benefit from regular and timely intelligence, and direct access to analysts.
GDPR compliance, an opportunity for telecoms operators to deliver enhanced customer experience | 12
© Analysys Mason Limited 2018 Research from Analysys Mason
Research from Analysys Mason
We provide dedicated coverage of developments in the telecoms, media and technology (TMT) sectors,
through a range of research programmes that focus on different services and regions of the world
The division consists of a specialised team of analysts, who provide dedicated coverage of TMT issues and
trends. Our experts understand not only the complexities of the TMT sectors, but the unique challenges of
companies, regulators and other stakeholders operating in such a dynamic industry.
Our subscription research programmes cover the following key areas.
Each subscription programme provides a combination of quantitative deliverables, including access to more
than 3 million consumer and industry data points, as well as research articles and reports on emerging trends
drawn from our library of research and consulting work.
Our custom research service offers in-depth, tailored analysis that addresses specific issues to meet your
exact requirements
Alongside our standardised suite of research programmes, Analysys Mason’s Custom Research team undertakes
specialised, bespoke research projects for clients. The dedicated team offers tailored investigations and answers
complex questions on markets, competitors and services with customised industry intelligence and insights.
For more information about our research services, please visit www.analysysmason.com/research.
GDPR compliance, an opportunity for telecoms operators to deliver enhanced customer experience | 13
© Analysys Mason Limited 2018 Consulting from Analysys Mason
Consulting from Analysys Mason
For more than 30 years, our consultants have been bringing the benefits of applied intelligence to enable
clients around the world to make the most of their opportunities
Our clients in the telecoms, media and technology (TMT) sectors operate in dynamic markets where change is
constant. We help shape their understanding of the future so they can thrive in these demanding conditions. To
do that, we have developed rigorous methodologies that deliver real results for clients around the world.
Our focus is exclusively on TMT. We advise clients on regulatory matters, help shape spectrum policy and
develop spectrum strategy, support multi-billion dollar investments, advise on operational performance and
develop new business strategies. Such projects result in a depth of knowledge and a range of expertise that sets
us apart.
We look beyond the obvious to understand a situation from a client’s perspective. Most importantly, we never
forget that the point of consultancy is to provide appropriate and practical solutions. We help clients solve their
most pressing problems, enabling them to go farther, faster and achieve their commercial objectives.
For more information about our consulting services, please visit www.analysysmason.com/consulting.