GDPR and the Trend Toward Privacy
Paulsen was invited to present a webinar on the GDPR and the trend to privacy as part of the National Agri-Marketing Association 2019 webinar series. If you registered for the original recording, the archived version is here: https://nama.org/past-webinar-links.
If you were not able to participate in the webinar, here is a recap on a topic that is pressing for everyone in agri-marketing.
Before proceeding, please note that we are not attorneys, and this article should not be considered legal counsel.
What is the GDPR?
GDPR stands for General Data Protection Regulation. It is the European Union’s law on data protection and privacy, implemented in 2018. Importantly for marketers, it is part of a more significant trend of giving individuals control of their data. The GDPR includes essential details, such as the ePrivacy amendments. Separately, other laws have been enacted, such as the California Consumer Privacy Act and the Vermont Data Brokers Regulation. These are the main points of the trend toward privacy from the perspective of the individual.
The rights of “data subjects” (individuals) include:
- The right to be forgotten
- The right to data portability
- Rights regarding automated processing
- The right to know of a breach or hack of one’s data
Why was the GDPR enacted?
When you are thinking about the impact of the GDPR, it is essential, at a high level, to understand how the E.U. compares itself to the U.S. in terms of data protection. Opinion writers on the E.U. side see themselves culturally as putting privacy first, and see the U.S. as a country governed by Silicon Valley—at least when it comes to data protection.
The Economist reports that the “E.U. is pioneering a distinct tech doctrine that aims to give individuals control over their information and the profits from it, and to pry open tech firms to the competition.”
Keep in mind that of the top 20 most valuable tech firms in the world, 15 are in the U.S., and only one is in the E.U., which at the time of this writing is Spotify. Consider that, and the fact that more and more, data represents power. To return power to the people and to prevent anti-competitive behavior, the E.U. is regulating data through the GDPR.
As the Financial Times explains, this is the so-called Brussels Effect in action. “The E.U. tends to write rules for itself and then lets the gravity of its huge market pull other economies into its regulatory orbit.” Faced with multiple regulatory entities, businesses such as the ones in the E.U., work to the highest standard, widely known as the “Brussels Effect.”
As it turns out, the Brussels Effect is affecting all of us.
GDPR Is a Law with Consequences
If you are in the U.S., you may be wondering if you need to worry about GDPR. The answer is yes if you have or will have customers or employees in the E.U., regardless of the physical location of your company. I know of companies in the U.S. who are currently blocking all website traffic from E.U. IP addresses until they are sure they comply.
There are also hefty fines in place for violations: €20 million ($22,493,000.00) or four percent of annual revenue, whichever is greater. And since the court system has not processed this yet, there are still a lot of questions.
Even though the penalties are pretty stiff, keep in mind this is the worst-case scenario for fines, and to date, only three fines have been issued. The spirit of the GDPR is less draconian than initially thought, but still not something to take lightly. It is just the point of the spear in terms of personal data control and protection.
What does this mean for my company?
Thinking about the implications of these privacy rights is a window into how far-reaching this trend is. Here are just a few of the steps for organizations to take:
Hire a Data Protection Officer and Build an Inclusive Internal Team
Within the E.U., all public authorities must appoint a Data Protection Officer (DPO). A DPO is not necessary for small and medium-sized businesses, which in the E.U. is defined as fewer than 250 employees.
However, if your business monitors data subjects on a large scale or processes certain types of personal data, you must appoint a DPO for compliance. If you are in the business of data, you probably need a DPO.
The role of the DPO might also be a job for a cross-discipline team of people. Include legal counsel, members of the I.T. team, human resources, marketing, finance and so on. Assembling a group of different disciplines from your organization will demonstrate an effort at compliance, and since this is not through the court system yet, these efforts toward compliance count.
Plan for a Data Audit and Ongoing Governance
Get your arms around what you are collecting, where you are storing it and its security. Identify collection points, including the forms on your website and where that form data is stored. Consider where customer records and transactional data are stored and how you will govern and secure them.
If your company has personal data in permanent storage, you’ll need to perform a data protection impact assessment (DPIA) before each project. A DPIA is a thorough audit of your organization’s collection, processes and governance to identify risks in compliance.
To make things more straightforward in the future, work to achieve the goal of having a single entry for a data subject for efficient compliance. Prepare communications and processes to provide transparency in data processing, and ensure that consent by data subjects is “freely given, specific, informed and unambiguous.”
Where are we headed?
This trend toward privacy corresponds with a softening in the growth of third-party data platforms and a stronger growth pattern in the use of first-party data platforms. On a recent Google Marketing Live broadcast, the company discussed changes, including replacing personalized ads with contextual ads, supported by artificial intelligence, machine learning and user controls.
The Facebook family of properties (Facebook, WhatsApp, Messenger, Instagram) will also trend toward increased privacy through growing reliance on private groups, encryption of user data and reducing the permanence of information.
To sum it all up, this trend is just beginning, so data stewardship and user rights will impact marketing permanently.
Rights Under the GDPR
Transparency in Data Processing
A significant change in GDPR is that data needs to be processed transparently as well as fairly and lawfully. This transparency puts the responsibility squarely on the company to use plain language (even though, ironically, the GDPR is not written plainly) and make it easily accessible. No technical jargon or legalese; the goal is for people to be able to understand their rights and take control of their data.
Clear on Consent
Consent must be “freely given, specific, informed and unambiguous.” In cases of sensitive personal data, it must also be “explicit.”
That statement means you cannot bury the request for consent inside another legal document. It needs to stand out clearly and plainly.
Data Subjects’ Rights
Right to Be Forgotten
The right to be forgotten is a key tenet of the GDPR. The "right of erasure" means the complete removal of your data from a company’s system.
If a company no longer needs your data, or if they used or collected your data unlawfully, then you have the right to demand deletion.
There are notable exceptions to this rule. For example:
- The personal data your company is needed to exercise the right of freedom of expression
- Or there is a legal obligation to keep that data
- Or for reasons of public interest (e.g., public health or research purposes)
Right to Data Portability
Next is the right to data portability, which is the ability to move data from one controller (or company) to another, where possible. If you want to change doctors, sending your information to the new doctor must be in a format the clinic can easily use.
You can also request your information be deleted, but that will be subject to the laws in that jurisdiction. GDPR is murky regarding what happens if that data is not easily accessible or in a usable format.
Rights in Automated Processing
You have rights regarding automated processing—an interesting aspect of the GDPR.
Regarding automated processing, you have a right not to be subject to a decision that is based solely on automated processing. For example, if you applied for credit and automation rejected your application, you have the right to human intervention.
If you feel profiled through direct marketing, you can complain under the law. As marketers, we will have to watch this closely!
Of course, there are exceptions. Decisions cannot be made solely on automated processing unless the decision is:
- Authorized by law
- Based on unambiguous consent
Personal Data Breach
In the E.U., if customer or employee personal information is stolen, lost or illegally accessed, it must be reported within 72 hours. Breaches are reported to the National Data Protection Authority, which has representation in every country of the E.U.
Data Breach in the U.S.
The U.S. has resources to help you understand what you need to do if you have a data breach, which varies state by state. One look at this website for the National Council of State Legislators will help you understand why it might be a good idea to have a U.S. federal law similar to the GDPR.
Privacy in the U.S.
Currently in the U.S., protecting privacy is either self-regulated or varies by state. Many global companies are compliant just by following the GDPR. There is no national legislation in the U.S. that is comparable to the E.U.’s GDPR. However, legislation in California may set a precedence for further regulation.
California Consumer Privacy Act (CCPA)
I mentioned the Brussels Effect earlier, and certainly GDPR has influenced what is happening in California as it overlaps with the GDPR. Here’s an overview of California’s privacy laws for its citizens:
- Effective January 1, 2020
- Discloses collection of personal data, the categories of information collected, the purpose for collecting and selling data, and the third parties with which data is shared
- Authorizes consumers to opt-out
- Allows businesses to offer financial incentives for the collection of personal information
- Prohibits companies from selling the personal data of consumers under the age of 16 years
- Requires data breach notification
Complying with the GDPR covers most of the actions of complying with CCPA. However, the argument goes that a U.S. federal law would avoid inconsistent and overlapping legislation, as we see with breach notification laws that vary across all 50 states.
Vermont Data Brokers Regulation
The first state to pass an act regarding the collection and brokerage of data was Vermont. Not much has been said outside of certain circles because it is very explicitly targeting data brokers. The primary tenets are:
- Data brokers must register with the state of Vermont
- They must take standard security measures
- They must notify authorities of security breaches
- Violations that constitute fraud will be enforced
What is unclear to me after reading the law is to whom it pertains. Is it brokers with a business address in Vermont or brokers that collect information on residents of Vermont or brokers that sell data within Vermont? The odds are that most data brokers fall into one of those categories. So to be in business today probably means being governed by this law.
Other Considerations of the GDPR
Does Not Apply to Anonymized Artificial Intelligence
Remember, people do have rights if they feel discriminated against using AI and if that creeps over into marketing, then we can expect pushback. I know of marketers that no longer use any of Facebook’s demographic data in target marketing for their real estate client because of potential unintended discrimination.
Freedom of the Press
There is a specific effort within the new data protection rules to take into account the freedom of the press. Journalists can still protect their sources. The E.U. member states are required, when necessary, to provide for exemptions to the press in their national laws, too.
Proper permission is critical. The GDPR is pretty clear that personal data cannot be used without consent. If a company collects consent for a particular purpose, and then wants to use the data for a different purpose, or forward it to a third party, they must ask for consent again.
We all had a flood of emails re-confirming consent in the buildup to May 25, 2018—and this is exactly what all of these companies were attempting to establish and document.
As marketers, the way we write our policies associated with consent needs always to be looking to the future.
Breaking the GDPR
Penalties for violation of the GDPR are frightening! However, it is a range of penalties. As well as fines, there are warnings, reprimands and orders to comply with the data subject’s requests.
While €20 million or four percent of annual revenue is the absolute maximum amount, fines depend on the specific situation and the gravity of the infringement, the intent or negligence. Good faith efforts in compliance are taken into account.
Video Surveillance Is Covered, Too
Video surveillance is probably only relevant if you have a location in the E.U.; however, it is good to be aware that it is covered. In general, terms minimize the amount of video you collect. In the E.U., institutional buildings post notices of surveillance as a requirement. They display the purpose, length of time footage is retained, by whom and for how long. Of the three fines that have been dealt out so far, one was for misuse of video recording.
“GDPR compliance is not possible without quality data, data management practices and the advanced capabilities to curate it.” – Forbes
GDPR might be simple in the overarching goal of protecting the privacy of individuals. However, no one thinks it will be easy or inexpensive to comply.
Data Protection Step by Step
Here is a handy compliance checklist—hat tip to Proskaur.com. You should visit their website because unlike me, they are attorneys!
Step 1: Data Audit
- Data Protection Impact Assessment (DPIA)
- Done before each project with personal data
- Goal is compliance
- Determines risks and effects
- Assesses policies and processes
An excellent place to start is a data audit. We discussed a DPIA earlier, which covers processes and procedures that measure risk regarding compromising the privacy of the individuals whose data are being stored, collected or processed.
The DPIA achieves three things:
- Ensures compliance with legal, regulatory and policy requirements
- Identifies the risks and effects
- Evaluates protections and alternative processes to mitigate risks
Step 2: Structures for Processing Employee, Client and Customer Data
- Create a single record for every person
- Include ERP, CRM, structured data, unstructured and transient data
- Watch for misspellings, duplicate names
- Practice data minimization
Most of the conversations we have had with clients around GDPR center on website data—that seems to be what most people think of first with GDPR. It is my opinion that website data is probably the easiest part of your data ecosystem to tackle. What is more difficult is dealing with the data stored on internal systems.
Your overall goal is creating a single record for every data entity or person. This individual entry makes it far more feasible to comply with the right of erasure or portability. However, this is deceptively difficult to do because of data silos, infrastructure and legacy systems.
The single-record goal is where a modern ERP or CRM platform can help, but that mainly covers structured data. There might also be unstructured data, like location data or data stored in apps and any number of places. And you have to account for misspellings or duplicate names, family name repetition and other challenges. Anyone that has worked with ag data can attest to this!
Finally, remember that the GDPR wants you to collect as little data as possible. Collect only the data you need and only for a limited time—with exceptions.
Step 3: Data Protection Policies and Notices
Privacy policies have been around for decades, but as stated earlier, they need to be written in plain language and consented to in an obvious manner.
One important thing to put in your policy is where the data is stored. And, the Cloud is not literally a cloud, so know the location of your cloud server, and if you have redundancy of data, the locations of all your cloud servers.
From a web development perspective, the technology you need to add these notices is pretty straightforward and often comes in a simple plugin or an additional bit of code.
The more significant challenge is writing for future use of data, especially with the way that explicit consent works. Remember that if you decide down the road to use data for a different purpose than originally intended, then you will need to ask for permission again.
If you have gone through asking for consent a second time you know what that can do to the size of your subscriber list.
Finally, documentation is essential. You must have a trail of proof points of consent for everything you are doing with your data.
Step 4: Agreements about the Transfer of Data, Including International Transfers of Data
Of everything we have covered, the Transfer of Data is the most complex. In general, the GDPR permits "data transfers to a third country or international organization subject to compliance with set conditions, including conditions for onward transfer."
If you need to transfer data, get legal counsel.
Step 5: Default Data Retention Periods
The next step is to set policies based on retaining data for the least amount of time possible while still complying with the law. There may also be data you have stored from which you cannot delete specific records, such as backup tapes. Or there may be ways to encrypt or anonymize the data that would allow compliance.
Step 6: Processes for Handling Data Breaches
1. If the breach is of high risk to a person's rights and freedoms, the company needs to inform the persons immediately. The high risk would be something like credit information, social security numbers or health information. It is a little gray on whether it includes someone’s physical address.
2. When you report, use clear and plain language in the following four areas (from gdpr.eu):
- Describe the nature of the personal data breach including the categories and approximate number of people involved.
- Communicate the name and contact details of the data protection officer.
- Describe the likely consequences of the personal data breach.
- Describe the measures taken or proposed to be made by the company to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.
3. Unless the communication is not required under any of the following conditions:
- Appropriate protection measures apply to the data affected by the breach, such as encryption.
- If the company has taken steps to ensure that the risk to the person is no longer likely to happen.
- If it would involve disproportionate effort to contact the persons compared to the breach. When that's the case, there can be a public communication or similar effort for notification.
- If the company has not already communicated the breach, except to the authorities, they may require the company to disclose it to the persons or publically.
Step 7: Data Protection by Design and by Default
I think this represents the E.U.’s long-term goal for the GDPR. All sound future data protection measures will become standard best practices for businesses and organizations.
- This concept within the GDPR is not new. Previously it was known as “privacy by design” and was always part of data protection law. Now it is a legal requirement.
- Plan for data protection and privacy issues from the beginning. Not only for compliance with GDPR’s fundamental principles and requirements but a focus on accountability when data is involved.
- Safeguard data through appropriate technical and organizational measures.
- Integrate data protection into your business processes, from the design stage through the lifecycle of the data.
Step 8: Data Security
Finally, a few key points about data security:
- Ensure that the software, systems and processors you are using are GDPR- compliant. Most CRM systems such as SharpSpring, Hubspot, Marketo and Salesforce are GDPR compliant, but that might not be the only place where your data is stored.
- Securing data also means you need to regulate who has physical access to data. Keep records of who has access and their level of clearance as part of the required GDPR documentation.
- If your company processes data, document the use of physical and electronic access controls.
- Anonymize, encrypt or pseudonymise data whenever possible for an extra level of security.
And just when you thought the GDPR was enough, there has been a recent addition called ePrivacy.
The proposed update to the GDPR through ePrivacy is targeted explicitly at marketing. Its purpose is to cover electronic communications, online marketing and advertising. Within this is a significant impact on marketing technologies. It’s meant to update the laws controlling the use of metadata, which is gathered through tracking technologies including, but not limited to, cookies.
From the E.U.’s perspective, this regulation aims to curb the profiling and behavioral advertising that underpins the adtech business model. They hope to achieve this by requiring transparency of purpose and explicit consent.
The language around this is pretty remarkable to a marketer. “The ePrivacy Regulation will hopefully help support alternative models that don’t use aggressive tracking by putting the emphasis back where it should be: respect for privacy. There will be a first-mover advantage for companies that embrace strategies which build in privacy by design and default. Going beyond mere compliance and offering an actual exchange of value with insights, incentives and offers in return for customers providing their data voluntarily without the use of opaque and intrusive tracking technologies.”
Our livelihood as marketers has become an insult to regulators, which is a window to where privacy issues will take us in the future.
Thriving Despite the GDPR
Dan Vanrenen, from a company called Taskeater in the U.K., has found ways to thrive within the GDPR, especially in the realm of B2B marketing. The way his company looks at it, the GDPR is about protecting personal data, not about stopping legitimate businesses from functioning.
Using personal data for lead generation and prospecting is essential to successful sales campaigns. But despite protecting personal data, the GDPR doesn’t stop prospecting or collecting leads. However, it does expect a higher degree of transparency and record-keeping during the sales cycle.
From Taskeater: "Under the GDPR, the personal data you collect should be adequate and relevant to the purpose of its processing." If you are doing this correctly, your target audience should not be surprised to hear from you.
Collect Only the Data You Need
Remember, minimizing the data is a tenant of GDPR. The keys to this are:
- Accuracy in selecting geography
- Appropriate industry
- Correct company size
- The proper person within an organization
It remains the responsibility of marketers to make sure that any lists they buy or rent are fully compliant under the new regulations.
Communicate Your Legitimate Interest in an Email
There are legal and appropriate measures, including legitimate interest that allows you to collect and store data under the GDPR. Legitimate interest applies if your interests outweigh an individual's right to privacy.
Detailed record-keeping is the key to proving that your rights and an individual's rights are in balance.
If appropriately targeted, your prospects should find it easy to understand your legitimate interest.
You can include an explanation in your email about how you found their contact information and why you reached out to them. Also, provide control by making it easy to opt-out.
Opt-out and Mean It
Most CRMs are already GDPR compliant, so use those platforms correctly and include a simple way to unsubscribe. Suppress that address in your list, follow the process to remove that person from your system and stick to that process consistently over time.
Regularly Cleanse and Maintain Your Database
The GDPR requires you to regularly remove data you are not using or data that is no longer accurate. Tag or label your data to track your activities.
Prepare Messages for GDPR Complaints and Questions
This communication is where good record-keeping comes in. You should be able to explain where the data came from, why you are using it and why it is relevant to the data subject. Request records from your data suppliers to comply with this en masse.
GDPR compliance is an ethical framework for succeeding as marketers as the current privacy trend becomes our new reality. If we can all act as good stewards of individuals’ data, we will benefit by regaining the public's trust.
Resources, Credits and the Cure for Insomnia