In May 2018, the European Union will bring a new set of regulations into force on data privacy. The regulations have been discussed for years and will replace the current rules that are in the Data Protection Directive in the EU (the UK will need to adhere to this for any transfer of data from the EU).
These regulations will be supported by the Information Commissioner’s Office and will have a big impact on all companies that have customers in Europe. However, many marketers are either not aware of their new responsibilities, or they think compliance is solely an IT problem that won’t affect them.
What are these regulations and what do those in charge of customer data need to know?
The General Data Protection Regulation (GDPR for short) covers how personal data should handled. This includes how individuals should be informed on how their personal data will be used, how individuals provide consent for its use (“freely given, specific, informed and unambiguous” consent; so no more implied consent or opt-out), and that individuals should always have control over data about them. While much of this is not new as the EU Data Protection Directive covered this area, the GDPR adds more requirements, clarifies others and as a set of regulations provides a greater force of law.
The GDPR clarifies how to determine if information that you collect or process is personally identifiable. This provides organisations with greater clarity on what should be protected. It also clarifies that it’s not just about the information you hold, but the information that might be held downstream or in the public domain (i.e. can the combination of what you know and some other source be used to identify an individual).
There is also a category of ”sensitive personal data” that has additional requirements on the collection and processing of the data. This category requires “explicit” consent for its collection and use - a checkbox in the browser is not sufficient. As with the EU Data Protection Directive, this includes racial or ethnic origin, criminal record, membership in a trade union, political opinions, religious beliefs, and sexual preference, but in addition the GDPR adds genetic and biometric information.
Additional significant changes include the potential need for a Data Protection Officer with sufficient resources, executive access, and independence, and potentially large penalties (up to 4% of turnover or 20M Euros) for failure to comply with the GDPR.
All of these changes - and the increase in penalties - aims to minimise the use of personal information by businesses. Where this data is necessary, businesses should use techniques to minimise the risk of breach or misuse of the data. These include the use of encryption, anonymisation, and/or pseudonymisation. Tokenisation is a form of pseudonymisation. Anonymisation is best left to data scientists. All of these techniques are mentioned and encouraged in the GDPR.
Given how important data analytics is to marketers today, it’s critical to understand how GDPR will affect how you run analytics programmes over time.
For analytics, the availability of data is paramount. The more insight that you can get into customer behaviour, the more likely it is that you can get accurate forecasts and insights into other customers and prospects. Using this information can help with customer-experience services and recommendation services.
However, determining what is personally identifiable information and if the individuals have properly consented to it use can make this more difficult to run in practice. I always recommend that data collectors validate that they actually need to collect and process personal information, or pass it on to a third party for additional analytics. In the case of passing it on to a third party, any onward transfer requirements have to be validated to meet all necessary security and privacy requirements.
Running analytics programmes
For marketers, getting initial consent on use of data is one hurdle. However, other issues such as the use of third-party data, and data deletion over time, also have to be considered. Putting the right processes in place for how you acquire and manage data should therefore be a priority.
To get this started, collaborate with your internal data privacy team. This will mean looking at your vendors to ensure that the appropriate legal language for data security and privacy is in place within your contracts. This is a requirement if you are transferring data to those vendors to process, even if they are not viewing it or sharing it.
Next, look at your approach to delivering analytics. Are you making use of marketing analytics services that take your customer data and provide results back to you? If so, you’ll have to check that they meet all these data protection requirements. Many suppliers are based outside of the EU, so be aware of the appropriate legal frameworks such as the EU-US Privacy Shield, EU model clauses, and binding corporate rules (BCR). These may change over time based upon legal decisions, such as the invalidation of the US-EU Safe Harbor framework by the European Court of Justice.
Awareness of where your data might be transferred should be a priority. It’s possible to run your own analytics services in-house, on a private cloud, or via public cloud services, so check how these options might fit with your own requirements on data privacy specifically related to requirements for onward data transfer.
Finally, be aware of how the right to remove consent for use (opt out) might affect your use of the data. Putting an appropriate plan in place, from the start, on how to remove customer records can help you in the longer term.
As more companies utilise data for helping make marketing decisions, the role of analytics will become more important. Making sure that your approach to analytics meets the necessary guidance on data security and privacy will therefore be essential.
About Rick Spickelmier
Rick Spickelmier, CTO at Birst, is responsible for architecture, security, privacy and big ideas for Birst. Rick brings over 20 years of wide-ranging software development experience, including experience in enterprise architecture, databases and on-demand applications. Rick has been senior director of technology at Geac, CTO at Extensity, worked in a number of management, architecture and development roles at Objectivity, and was on staff at the University of California, Berkeley. Rick has participated as a panelist and presenter at numerous conferences and industry events and has authored several books and publications.