whose tagline is âwhat can your data do for you?â, and focuses on how data can empower consumers (not brands). In th
DECEMBER 2017 Predictions Magazine
Are You GDPR Ready? WOJCIECH BEDNARZ DATA & INSIGHTS SENIOR STRATEGY MANAGER —
DATA SCIENCE & AUDIENCE INSIGHTS
2018: The year of the GDPR
Data controller: A controller determines the purposes and means of processing personal data. However, if you’re a controller, you’re not relieved of your obligations
The General Data Protection Regulation (GDPR), is
where a processor is involved – the GDPR places further
probably one of the most important legal changes
obligations on you to ensure your contracts with
that’ll hit the digital landscape in 2018; and even
processors comply with the GDPR 2.
though most customers might not be fully aware of it,
Once you’ve identified where your business sits
digital marketers are taking full notice.
within the dyad, you need to perform a full gap
The directive will become effective in May 2018,
analysis to understand exactly what type of data
however, it’s raising concerns across the industry,
you‘ve been collecting, in what formats (anonymised,
as there’s still some gaps in information on how to
pseudonymised) and what categories of data you’ve
approach the required changes from a practical and
been collecting (such as sensitive data related to
technical point of view. What we do know is that
religion, race, or politics). All these data points need
it’ll affect all marketers and consumers, giving the
to be mapped in order to understand where it’s being
latter more power and control than ever before. So,
sent and where it’s being received. Moreover, this
how can marketers take steps in the right direction
process needs to be documented and stored properly
to comply with the regulations and ensure that
in your records.
consumers’ data and privacy is being protected effectively? Well, the first step is understanding that
A broader definition of privacy
while data is valuable to marketers, it’s still private information, and we need to be far more careful with how it’s processed following the array of hacks
One of the key changes brought in by the GDPR
that’ve taken place in recent years.
relates to the current definition of privacy. The new
Know your place in the ecosystem - and mind the gap
directive will extend privacy policies to IP address, cookie IDs, device IDs, genetic data, and biometric data; a major game changer which will make the process of stitching data together much harder.
On a basic level, the GDPR concerns the usage and
However, marketers still have an ace up their sleeve
collection of personal data. In the digital ecosystem,
– consent. As long as marketers have consumers’
different entities work with data in different ways.
consent, they’ll be able to operate as usual – at least
Depending on where you sit in this ecosystem, the
to some extent. However, the directive puts in place
first thing to understand is that the GDPR focuses
robust requirements for gaining consent; small
on two major entities: data processors and data
print won’t be permitted, nor will hidden terms and
controllers – and your first job is to determine where
conditions (T&Cs) at the point of requesting consent.
you fall according to their definitions. Understanding
Everything will need to be presented upfront to
whether you’re a processor or a controller is
consumers, giving them full transparency of how
extremely important, as each has entirely different
their data will be used – and partners who data
obligations.
may be shared with must also be highlighted at this
Data processor: A processor is responsible for
stage too. This takes us to the next point – consumer
processing personal data on behalf of a controller.
power.
If you’re a processor, the GDPR places specific legal obligations on you; for example, you’re required to maintain records of personal data and processing activities. You’ll have legal liability if you’re responsible for a breach 1.
3
DATA SCIENCE & AUDIENCE INSIGHTS
Power to the people: Robust individual rights
the organisation and its employees about their obligations to comply with the GDPR and other data protection laws (and) to monitor compliance with the GDPR and other data protection laws”.
The GDPR directive gives individuals unprecedented As such, a DPO isn’t just a nice to have, the role will
powers, such as the right to access their data, the
be required by law for any public authorities (except
right to correct it, erase it, have it removed from
for courts) or businesses which monitor individuals
systems, and the right to restrict processing. To
(i.e. through online tracking). For those businesses
illustrate the seriousness of the GDPR’s impact,
where a DPO role isn’t legally obliged, a team which
it’s best to consider data as a utility; you, as an end
possesses the required skills to advise and execute
user, are fully entitled to manage suppliers, switch
the necessary processes will need to be put in place.
between them, control all costs, etc. – and, legally,
One way or another, resource and systems need to be
marketers have to comply with users’ requirements.
introduced to manage processes, daily requests and With these heightened consent requirements, and
build up a technical infrastructure.
robust individual rights, organisations have to put
Big fines, big problems
in place adequate processes to enable consumers or privacy advocates to access all their data in an easy and simple manner. Furthermore, these processes will
After the GDPR has come into play in May 2018,
also need to be applied to external documentation,
businesses that aren’t fully compliant with its policies
such as T&Cs and privacy policies. Eventually, there’ll
or that don’t have a DPO on board could be fined
be the need for technical solutions to be put in
up to €20 million, or 4% of their global turnover –
place and for a cross-departmental team to manage
whichever is higher. This hints that the directive is
processes and be dedicated to its implementation and
mainly addressed at large, multinational businesses;
maintenance.
however, small businesses will also be affected and required to comply. If your organisation happens to
The role of the Data Protection Officer
be one of the Google’s and Facebook’s of the world, the fine might not seem that significant, but for SME’s it could be devastating 4. So, start preparing as
According to the ICO 3, the main role of a Data
early as possible to make sure you’re fully compliant
Protection Officer (DPO) is to “inform and advise
by May 2018.
4
DATA SCIENCE & AUDIENCE INSIGHTS
Embracing change
could look to incentivise users for sharing added data points (e.g. health-related information, retail logins, and financial status), which they could use to
Although many businesses and marketers are worried
build rich audiences and fine-tune targeting, leading
about the upcoming GDPR changes, what they should
to highly personalised communications that truly
really be considering is the opportunities that’ll
add value to audiences. Some companies are already
come along with them. For one, the data landscape is
embracing the change; one example is digi.me 5,
long overdue some changes, and shifting the power
whose tagline is “what can your data do for you?”, and
balance in favour of customers is certainly a positive
focuses on how data can empower consumers (not
step overall. The relationship between businesses and
brands). In the end, something positive can definitely
customers with regards to consent doesn’t have to
come of the GDPR, especially when you consider the
be all doom and gloom either. Imagine a world where
value of data being shared on users’ terms in a fair
first-party data is traded with full consumer consent,
and transparent way. So, no matter where you are in
where businesses are using information responsibly
the journey, we all need to get to that end point of full
and individuals are protected and aware of how
compliance – and the more you embrace the change,
their data is being used and where. Where there’s
the more your business could stand to benefit.
transparency and clarity, the trust between brand and consumer is greater. At that point, businesses
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/ https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/ 3. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-officers/ 4. https://www.theregister.co.uk/2017/04/28/ico_fines_post_gdpr_analysis/ 5. https://digi.me/ 1. 2.
“Although many businesses and marketers are worried about the upcoming GDPR changes, what they should really be considering is the opportunities that’ll come along with them”
5
www.greenlightdigital.com The Varnish Works, 3 Bravingtons Walk, King’s Cross, London, N1 9AJ +44 (0)20 7253 7000
[email protected]