Are You GDPR Ready? - Greenlight Digital

0 downloads 226 Views 7MB Size Report
whose tagline is “what can your data do for you?”, and focuses on how data can empower consumers (not brands). In th
DECEMBER 2017 Predictions Magazine

Are You GDPR Ready? WOJCIECH BEDNARZ DATA & INSIGHTS SENIOR STRATEGY MANAGER —

DATA SCIENCE & AUDIENCE INSIGHTS

2018: The year of the GDPR

Data controller: A controller determines the purposes and means of processing personal data. However, if you’re a controller, you’re not relieved of your obligations

The General Data Protection Regulation (GDPR), is

where a processor is involved – the GDPR places further

probably one of the most important legal changes

obligations on you to ensure your contracts with

that’ll hit the digital landscape in 2018; and even

processors comply with the GDPR 2.

though most customers might not be fully aware of it,

Once you’ve identified where your business sits

digital marketers are taking full notice.

within the dyad, you need to perform a full gap

The directive will become effective in May 2018,

analysis to understand exactly what type of data

however, it’s raising concerns across the industry,

you‘ve been collecting, in what formats (anonymised,

as there’s still some gaps in information on how to

pseudonymised) and what categories of data you’ve

approach the required changes from a practical and

been collecting (such as sensitive data related to

technical point of view. What we do know is that

religion, race, or politics). All these data points need

it’ll affect all marketers and consumers, giving the

to be mapped in order to understand where it’s being

latter more power and control than ever before. So,

sent and where it’s being received. Moreover, this

how can marketers take steps in the right direction

process needs to be documented and stored properly

to comply with the regulations and ensure that

in your records.

consumers’ data and privacy is being protected effectively? Well, the first step is understanding that

A broader definition of privacy

while data is valuable to marketers, it’s still private information, and we need to be far more careful with how it’s processed following the array of hacks

One of the key changes brought in by the GDPR

that’ve taken place in recent years.

relates to the current definition of privacy. The new

Know your place in the ecosystem - and mind the gap

directive will extend privacy policies to IP address, cookie IDs, device IDs, genetic data, and biometric data; a major game changer which will make the process of stitching data together much harder.

On a basic level, the GDPR concerns the usage and

However, marketers still have an ace up their sleeve

collection of personal data. In the digital ecosystem,

– consent. As long as marketers have consumers’

different entities work with data in different ways.

consent, they’ll be able to operate as usual – at least

Depending on where you sit in this ecosystem, the

to some extent. However, the directive puts in place

first thing to understand is that the GDPR focuses

robust requirements for gaining consent; small

on two major entities: data processors and data

print won’t be permitted, nor will hidden terms and

controllers – and your first job is to determine where

conditions (T&Cs) at the point of requesting consent.

you fall according to their definitions. Understanding

Everything will need to be presented upfront to

whether you’re a processor or a controller is

consumers, giving them full transparency of how

extremely important, as each has entirely different

their data will be used – and partners who data

obligations.

may be shared with must also be highlighted at this

Data processor: A processor is responsible for

stage too. This takes us to the next point – consumer

processing personal data on behalf of a controller.

power.

If you’re a processor, the GDPR places specific legal obligations on you; for example, you’re required to maintain records of personal data and processing activities. You’ll have legal liability if you’re responsible for a breach 1.

3

DATA SCIENCE & AUDIENCE INSIGHTS

Power to the people: Robust individual rights

the organisation and its employees about their obligations to comply with the GDPR and other data protection laws (and) to monitor compliance with the GDPR and other data protection laws”.

The GDPR directive gives individuals unprecedented As such, a DPO isn’t just a nice to have, the role will

powers, such as the right to access their data, the

be required by law for any public authorities (except

right to correct it, erase it, have it removed from

for courts) or businesses which monitor individuals

systems, and the right to restrict processing. To

(i.e. through online tracking). For those businesses

illustrate the seriousness of the GDPR’s impact,

where a DPO role isn’t legally obliged, a team which

it’s best to consider data as a utility; you, as an end

possesses the required skills to advise and execute

user, are fully entitled to manage suppliers, switch

the necessary processes will need to be put in place.

between them, control all costs, etc. – and, legally,

One way or another, resource and systems need to be

marketers have to comply with users’ requirements.

introduced to manage processes, daily requests and With these heightened consent requirements, and

build up a technical infrastructure.

robust individual rights, organisations have to put

Big fines, big problems

in place adequate processes to enable consumers or privacy advocates to access all their data in an easy and simple manner. Furthermore, these processes will

After the GDPR has come into play in May 2018,

also need to be applied to external documentation,

businesses that aren’t fully compliant with its policies

such as T&Cs and privacy policies. Eventually, there’ll

or that don’t have a DPO on board could be fined

be the need for technical solutions to be put in

up to €20 million, or 4% of their global turnover –

place and for a cross-departmental team to manage

whichever is higher. This hints that the directive is

processes and be dedicated to its implementation and

mainly addressed at large, multinational businesses;

maintenance.

however, small businesses will also be affected and required to comply. If your organisation happens to

The role of the Data Protection Officer

be one of the Google’s and Facebook’s of the world, the fine might not seem that significant, but for SME’s it could be devastating 4. So, start preparing as

According to the ICO 3, the main role of a Data

early as possible to make sure you’re fully compliant

Protection Officer (DPO) is to “inform and advise

by May 2018.

4

DATA SCIENCE & AUDIENCE INSIGHTS

Embracing change

could look to incentivise users for sharing added data points (e.g. health-related information, retail logins, and financial status), which they could use to

Although many businesses and marketers are worried

build rich audiences and fine-tune targeting, leading

about the upcoming GDPR changes, what they should

to highly personalised communications that truly

really be considering is the opportunities that’ll

add value to audiences. Some companies are already

come along with them. For one, the data landscape is

embracing the change; one example is digi.me 5,

long overdue some changes, and shifting the power

whose tagline is “what can your data do for you?”, and

balance in favour of customers is certainly a positive

focuses on how data can empower consumers (not

step overall. The relationship between businesses and

brands). In the end, something positive can definitely

customers with regards to consent doesn’t have to

come of the GDPR, especially when you consider the

be all doom and gloom either. Imagine a world where

value of data being shared on users’ terms in a fair

first-party data is traded with full consumer consent,

and transparent way. So, no matter where you are in

where businesses are using information responsibly

the journey, we all need to get to that end point of full

and individuals are protected and aware of how

compliance – and the more you embrace the change,

their data is being used and where. Where there’s

the more your business could stand to benefit.

transparency and clarity, the trust between brand and consumer is greater. At that point, businesses

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/ https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/ 3. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-officers/ 4. https://www.theregister.co.uk/2017/04/28/ico_fines_post_gdpr_analysis/ 5. https://digi.me/ 1. 2.

“Although many businesses and marketers are worried about the upcoming GDPR changes, what they should really be considering is the opportunities that’ll come along with them”

5

www.greenlightdigital.com The Varnish Works, 3 Bravingtons Walk, King’s Cross, London, N1 9AJ +44 (0)20 7253 7000 [email protected]