With the recent data privacy scandal involving Facebook and a research company called Cambridge Analytica, the issue of personal data is seeing a whole new level of attention. In this light, adhering to privacy laws is all the more important.
And the compliance clock is ticking for new legislation in the EU. The General Data Protection Regulation (GDPR) legislation is going into effect in the European Union beginning on May 25, 2018. The objective of this new set of rules is to give citizens and residents control over their personal data, and to simplify the regulatory environment for business. The data protection reform is a key enabler of the Digital Single Market and will allow European citizens and businesses to fully benefit from the digital economy.
We live in an age where the protection of our personal data is vital. This is information relating to individuals who can be identified either from the data or from the data working in conjunction with other information that is in, or likely to come into, the possession of a business utilizing the data. For example:
The new compliance applies to all parties processing personal data. And though the U.S. does not currently have a comprehensive federal data privacy law, there are federal laws that provide similar protections in certain industries (HIPAA, FCRA, FTCA, COPPA, etc.).
What does GDPR Mean for Marketers?
While it might sound daunting, the GDPR legislation is actually a good thing for marketers. And while it will initially require more of us, we will ultimately benefit in several ways from uniform data protection laws (as will consumers):
- Though difficult, marketers are going to have to focus on providing even more value to customers. They will have to work harder to attract consumers to gain their attention, which today is one of the most valuable commodities.
- GDPR requires greater transparency for EU citizens regarding how their data is being used by organizations. Companies that collect data will need to communicate and in turn provide value to the citizens. This better communication and transparency around data collection will lead to a stronger understanding about why people should share data.
- Marketers are going to be forced to aim higher. Pre-GDPR-compliant consent mechanisms will be things of the past. This means marketers will need better, more creative thinking and will have to innovate.
It basically all comes down to using individuals' data responsibly and delivering real value through the use of that data. As we've said for a long time, marketing is all about providing value—and now we have a legal reason to up our value game!
What are the essential areas upon which marketers need to focus?
With all of the above in mind, there are several points that marketers will have to address to ensure they are GDPR compliant.
- Consent mechanisms must be separate and apart from language concerning other matters. Achieve this by auditing all sign-in programs, preference centers, and unsubscribe processes. Confirm there are no pre-checked boxes and that individuals are able to easily revoke their consent and correct any inaccuracies in their personal data.
- Regarding specific advertising and marketing communications, update notices to describe and offer choices regarding automated decisions your systems make about individuals via personal data. Do this especially in relation to predicting individual’s interests, character traits, reliability, movements and more. For individuals who opt out of such automated decisions and profiling, be sure to exclude their personal data.
- While individuals have always had a right to obtain copies of their data, they now have a right to portability. As such, think about creating a mechanism designed to efficiently prepare a structure copy of an individual’s personal data and securely deliver the file to another recipient.
- Evaluate, document, and record all processing activities and personal data being processed and the legal basis relied upon to lawfully process personal data (e.g. contract, consent, legitimate interest, etc.). Be sure to consider all of the personal data involved as marketers often rely upon different legal bases to process different personal data elements.
- When processing personal data on the basis of consent, review records available to demonstrate consent is valid. Where records are deficient, carefully consider whether another legal basis, such as legitimate interest, can be relied upon.
- Enact a large scale data clean out prior to May 2018 to ensure compliance with retention for old and unused data.
- Review and update terms, conditions, and privacy notices to make sure they are clear, concise, written in plain language and easily accessible.
- Review and update protocols for data breach management, notifications, and escalation. Take into account that breach notifications must now be provided to the controlling authority within 72 hours of identification.
- Appoint or hire a Data Protection Officer (DPO) who has access to senior management to oversee process change, compliance, and education.
- Privacy Impact Assessments (PIA) are mandatory when there is automated processing of personal data. If this applies to you, establish a system to conduct them.
GDPR puts citizens' privacy as the foremost priority for marketers. By innovating and making good use of new technologies, resourceful marketers will enjoy better data quality—and better data quality will present the opportunity to explore and gain richer understanding of prospects and customer needs.