Privacy by Design: New EU Data Regulations and Your Digital Strategy

Is your business ready for GDPR? Here's a rundown of the new EU privacy laws and how to adapt your digital strategy to ensure compliance and competitivity.

First and foremost, we are not a law firm. All of what follows is based on best practices, trainings and strategies implemented for our clients to help them deliver on digital strategy in the new realm of the General Data Protection Regulation (GDPR). We recommend that any solution be confirmed with your organization’s legal team or the Data Protection officer. With that caveat, let’s get to the fun stuff.

The General Data Protection Regulation (GDPR) is a European Privacy Law that will come into effect on May 25th, 2018. It's goal is to increase the transparency and accountability of personal data collection, storage and processing, in order to improve data security. The GDPR will affect every organisation that gathers data about any EU citizen, regardless of location of the business.

To many digital marketers, this sounds terrifying. What will happen to my data? How can I effectively market under these restrictions? Can I still even collect data? Will this cripple my market reach?

It should sound terrifying. The fines are steep for non-compliance. They could amount to €20 million or 4% of annual global revenue. There is no grace period. Shudder.

There is a bright side to GDPR.

Shift your perception

The bad news is out of the way, so on to the good news that will come with GDPR. The whole point of the new regulation is to increase transparency and empower end users over their data and how that data is collected and used. Increased transparency will lead to increased trust.

Which leads us to the two pillars of Privacy by Design: Transparency and Accountability. These two concepts must be woven tightly into the fabric of your digital strategy going forward.

Transparency covers consent to data collection, the kind of data we are collecting and how we use and store it.

Accountability means timely notifications of data breaches and the rights of individuals to be forgotten and to rectify data.

There are many more detailed points in the regulations, but for digital marketers these are the most relevant.

3 Biggest Challenges affecting Digital Marketing Strategy

Let’s answer some of those questions our terrified digital marketer has about GDPR.

Consent will still work the same, just under the new regulations, we can´t be sneaky about it (yes, we have been sneaky about it). Tricks like pre-checked boxes, hidden legal text and lack of opt-outs are now off limits. The language and the opt-in must be clear and concise, as well as the consent method. In addition, functionality can no longer be held hostage to data consent unless that functionality is tied directly to the usage of the collected data. For example, if I ask for a birth date and none of the functionality on my web site is tied to that except for targeted marketing, I can’t deny access to the site if they decline to provide that information.

What about old data? Marketers and companies should take an inventory of all current forms and ensure that the way that consent is collected is compliant. The level of compliance will determine if that data collected previously can be legally used or if you must gain consent again. This is not a bad thing. It is another great opportunity to have a touch point with your customers and show them just how much you care about their data rights.

Collected Data

The definition of personal data has been broadened under GDPR. It includes anything that could identify a “natural person” even in combination or after processing. For instance, a person’s IP address, browser history, demographic data and anything else that, added up, could lead to the identification of a person. More of the data we normally collect as digital markets now falls squarely under the regulations.

Users have more rights to their data as well. This includes the right to be forgotten, the right to portability of data and the right to correct wrong data that could be detrimental. Users are also protected from automated decision making based on processed data. Examples include, applying for a credit card online, mortgage or other service where collected data without human intervention could be biased in the automated decision. This means that marketers must be precise in the data that is collected, confident in how it is stored and conscientious in its usage.

Data Protection

The biggest change in data protection in the new regulations is the notification requirement. All the other standards around encryption, handling and processing remain fairly the same, with some enhancement. Under GDPR, companies must inform authorities of any data breach within 72 hours. There is no more wait and see mentality as with previous breaches such as Yahoo who didn´t report a data breach that happened in 2014 until 2016 when the user data appeared for sale on a dark net website.

The best thing to do is to put in place strong monitoring policies and processes as is possible. Hackers are sophisticated and savvy, but with the right controls in place, your users’ data and trust can be preserved.

The Netcentric Approach

We focus on the 2 pillars of Privacy by Design in all steps of our process to guide your organization, process-wise with change management and technologically by providing solutions to meet the new regulations. We help raise awareness and activate solutions with the guidance of legal and data offices to ensure that all our delivered solutions are compliant.

The new GDPR regulations go into effect soon. Firms that leverage them to build trust and transparency with their customers are going to come out ahead.

style

dark-plum