The General Data Protection Regulation (GDPR)…it’s certainly been getting our compliance team buzzing! So, what’s all the fuss about?
It’s demanding a lot of attention, particularly in compliance circles (yes, we compliance folk network too!), so we thought we’d bring you a more digestible (and tastier) piece on what the GDPR will be bringing to the table.
Much like an older sibling, the GDPR is set to govern its territory, and bring into focus aspects of the Data Protection Act 1998 (DPA) that perhaps some of us haven’t taken so seriously in the past.
We are now all aware of the principles set forth, but here’s a bite-sized overview of the key elements for those GDPR enthusiasts amongst you (we know there are some):
Accountability – businesses must demonstrate, through organisational and technical measures, not just that they comply with the GDPR, but how they comply
Lawful processing – businesses must identify and document their legal basis for processing data and ensure they collect free, specific and unambiguous consent from consumers (explicit consent)
Children’s data – organisations need to enhance their protective methods surrounding the collection and processing of children’s data
Subject access requests – internal procedures will need to be brought up to scratch to be able to efficiently respond to subject access requests, within a shorter time frame
The rights of individuals – the GDPR provides individuals with several rights: the right to be informed, the right of access, the right to erasure, the list goes on…
Transparency – an element of the GDPR which highlights the importance of clear and concise privacy notices to effectively communicate how, why, and by whom data is collected/processed
Data breaches – more emphasis will be placed upon the requirement to notify the supervisory authority of a serious data breach, and within a stricter time frame too (72 hours – eek!)
Privacy by design – building a compliance culture within your organisation is imperative to effectively manage the impact on privacy a new project/process may have. We’ll also see the more formal adoption of Data Protection Impact Assessments (DPIAs) and Privacy Impact Assessments (PIAs)
International transfers – transfers of personal data outside of the EEA must be adequately protected to ensure that the level of protection afforded by the GDPR is not undermined
To whip businesses into shape, the new regulation has put more weight behind the consequences of getting privacy requirements wrong – we’ve all heard about the eye-watering fines; the higher being €20 million or 4% of global turnover. However, although these fines have certainly achieved their goal of setting the authoritative tone of the GDPR, here at hps, we have decided to look at the GDPR a little differently…
Just like a younger sibling following in the footsteps of an older brother or sister, we believe that we have an opportunity for learning at our feet.
The GDPR is consumerdriven. You could say that the GDPR is a blueprint for how our customers want to be marketed to. In turn, the GDPR sets forth tangible ways of propelling ROI by encouraging us to bin the ‘splatter-gun’ approach and to draw our expertise to ‘hot’ prospects.
Furthermore, if we flip the idea of data ownership on its head (bear with me), and acknowledge that the owners of the data are the data subjects themselves, not the Data Controllers, then we believe the opportunity to provide a relevant, considered and symbiotic service to our consumers presents itself. Our goal, as brands and marketers alike, is to get to know our consumers better in order to deliver effective campaigns, and the GDPR could be the key to unlocking our most targeted strategies yet.
By giving control back to our consumers, and affording them the resources to tailor the services/comms they are receiving (hat tip to explicit consent), we could achieve truly ‘targeted’ marketing, and better yet, engage with individuals whowant to hear from us, individuals who are already invested in the brand.
It’s easy to forget that we are all consumers ourselves. We’ve all experienced the irritation associated with receiving nuisance, irrelevant marketing pieces. I may be slightly biased, coming from a compliance background, but as a consumer, I feel all warm and fuzzy inside when I’m receiving marketing messages that are relevant to me – the feeling that the brand is just as interested in getting to know me, as I am in getting to know them.
Although a slightly ominous prospect at first, explicit consent is fast becoming a tool for insight – from the start of a consumer’s journey, to the end, we can understand exactly what our consumers want us to deliver, because they’re telling us.
Already, organisations are working on their own interpretations of explicit consent and what its implementation will mean for their businesses, but one thing is clear – it will be no mean feat, but no doubt more of an opportunity than first envisaged.
The essence of the GDPR breathes life into our ethos here at hps, “bringing brands closer to customers”, and we believe that the principles of the new regulation, and the consumer drive behind it, will further enable us to do just that.