The General Data Protection Regulation (GDPR) is due to be implemented across the European Union today, 25 May 2018. It heralds a new era in data protection that empowers people with more rights and control over their data. WARC’s Best Practice Editor, Lena Roland explores what it means.
GDPR is the first major step in taming the so-called ‘digital wild west’ that forces companies to approach consumer data in a more ethical way. And this will lead to more effective marketing.
The new rights under GDPR include (but are not restricted to):
- The right to request the cessation of further sharing of their data, and potentially have third parties halt processing of their data
- The right to request their data is deleted unless there is good reason to store it
- The right to data portability – people will be entitled to request a copy of their data, free of charge
- Clear opt-in methods will make it easier for people to withdraw their consent
For companies, GDPR sets out many requirements, including (but not restricted to):
- Implement 'data protection by design' which means privacy must be considered at the start of the development of a product, service or app not as an afterthought
- There will be tighter notification procedures for reporting a data breach. In the UK for example, any serious breach affecting personal information must be brought to the attention of the Information Commissioner's Office within 72 hours
- Businesses will be required to gain consumer consent in an explicit way. Consent must be provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
The GDPR sets high standards in how companies can collect, store, use and share the data. It speaks volumes that some ad tech companies have had to shut down their EU operations because their business model is so reliant on using consumer data to track and target, usually without peoples’ explicit and informed consent. In other words, they are unable to comply with the data protection standards that are required of them to conduct their business in Europe.
Companies that bemoan GDPR or data protection are myopic.
From surveillance to data ethics
As data becomes more valuable, and as consumers become more empowered, the ethical handling of peoples’ data will become standard best practice.
Thus, marketers must adopt a business model that is not only good for business, but is good for people, and society too.
Implementing privacy by design, security by design, ethics by design or what I call 'manners by design' will force marketers to rethink how they engage with customers. Here’s some advice:
- Do not take - ask for permission
- Do not track - be open and transparent about what you want, and why
- Do not stalk - know when you’re not wanted
- Do not ‘surveil’ – Big Brother does not make for positive brand associations
- Do not target – create great products or services that compel people to seek you out
- Do not listen to private conversations, Alexa, Siri, Google Home…
As technology becomes even more advanced and pervasive and as Artificial Intelligence (AI) continues to seep into our everyday lives, the importance of data ethics cannot be overlooked. There will be more questions and concerns from regulators - and consumers - around how data is used.
Brands that want to nurture a long-term relationship with their customers will be wise to hire a Chief Privacy Officer who will be responsible for data privacy compliance and education.
And there will be more concerns about the dangers of the ‘filter bubble’ that has the potential to limit people’s news – and in turn, limit their 360 degree world view/ critical thinking. And there will be alarm around the inequality of algorithmic bias which can have negative consequences around insurance and healthcare entitlement, recruitment decisions and much, much more.
Thus, we need to see the rise of the Chief Data Ethics Officer who will be responsible for considering the power of the machine - and the very real impact technology has on peoples’ lives.
Offering delightful, seamless and convenient experiences is great. But it needs to be done in a way that does not diminish brand trust. And more importantly, that does not damage democracy or disregard peoples’ right to privacy.
- Data, Democracy and Dirty Tricks, Channel 4
- European Union GDPR Portal
- Guide to the General Data Protection Regulation (GDPR), Information Commissioner's Office
- WARC Topic: Data protection & privacy
- WARC Topic: GDPR
- WARC Best Practice: What we know about GDPR
- WARC Best Practice: How to manage consumer data responsibly
- WARC Best Practice: What we know about data privacy
- WARC Best Practice: What we know about Ad blocking
- WARC Best Practice: What we know Artificial Intelligence
- WARC Best Practice: What we know about brand trust
- Deloitte NWE Privacy Services, Deloitte Risk Advisory, 2017