GDPR and the Trend Toward Privacy

by Sara Steever
September 26, 2019 • 16 minute read

Paulsen was invited to present a webinar on the GDPR and the trend to privacy as part of the National Agri-Marketing Association 2019 webinar series. If you registered for the original recording, the archived version is here: https://nama.org/past-webinar-links.

If you were not able to participate in the webinar, here is a recap on a topic that is pressing for everyone in agri-marketing.

Before proceeding, please note that we are not attorneys, and this article should not be considered legal counsel.

What is the GDPR?

GDPR stands for General Data Protection Regulation. It is the European Union’s law on data protection and privacy, implemented in 2018. Importantly for marketers, it is part of a more significant trend of giving individuals control of their data. The GDPR includes essential details, such as the ePrivacy amendments. Separately, other laws have been enacted, such as the California Consumer Privacy Act and the Vermont Data Brokers Regulation. These are the main points of the trend toward privacy from the perspective of the individual.

The rights of “data subjects” (individuals) include:

  • The right to be forgotten
  • The right to data portability
  • Rights regarding automated processing
  • The right to know of a breach or hack of one’s data

Why was the GDPR enacted?

Opinion writers on the E.U. side see themselves culturally as putting privacy first, and see the U.S. as a country governed by Silicon Valley—at least when it comes to data protection.

The Economist reports that the “E.U. is pioneering a distinct tech doctrine that aims to give individuals control over their information and the profits from it, and to pry open tech firms to the competition.”

Keep in mind that of the top 20 most valuable tech firms in the world, 15 are in the U.S., and only one is in the E.U., which at the time of this writing is Spotify. Consider that, and the fact that more and more, data represents power. To return power to the people and to prevent anti-competitive behavior, the E.U. is regulating data through the GDPR.

As the Financial Times explains, this is the so-called Brussels Effect in action. “The E.U. tends to write rules for itself and then lets the gravity of its huge market pull other economies into its regulatory orbit.” Faced with multiple regulatory entities, businesses such as the ones in the E.U., work to the highest standard, widely known as the “Brussels Effect.”

As it turns out, the Brussels Effect is affecting all of us.

GDPR Is a Law with Consequences

I know of companies in the U.S. who are currently blocking all website traffic from E.U. IP addresses until they are sure they comply.

There are also hefty fines in place for violations: €20 million ($22,493,000.00) or four percent of annual revenue, whichever is greater. And since the court system has not processed this yet, there are still a lot of questions.

Even though the penalties are pretty stiff, keep in mind this is the worst-case scenario for fines, and to date, only three fines have been issued. The spirit of the GDPR is less draconian than initially thought, but still not something to take lightly. It is just the point of the spear in terms of personal data control and protection.

What does this mean for my company?

Thinking about the implications of these privacy rights is a window into how far-reaching this trend is. Here are just a few of the steps for organizations to take:

Hire a Data Protection Officer and Build an Inclusive Internal Team

Within the E.U., all public authorities must appoint a Data Protection Officer (DPO). A DPO is not necessary for small and medium-sized businesses, which in the E.U. is defined as fewer than 250 employees.

However, if your business monitors data subjects on a large scale or processes certain types of personal data, you must appoint a DPO for compliance. If you are in the business of data, you probably need a DPO.

The role of the DPO might also be a job for a cross-discipline team of people. Include legal counsel, members of the I.T. team, human resources, marketing, finance and so on. Assembling a group of different disciplines from your organization will demonstrate an effort at compliance, and since this is not through the court system yet, these efforts toward compliance count.

Plan for a Data Audit and Ongoing Governance

Get your arms around what you are collecting, where you are storing it and its security. Identify collection points, including the forms on your website and where that form data is stored. Consider where customer records and transactional data are stored and how you will govern and secure them.

If your company has personal data in permanent storage, you’ll need to perform a data protection impact assessment (DPIA) before each project. A DPIA is a thorough audit of your organization’s collection, processes and governance to identify risks in compliance.

To make things more straightforward in the future, work to achieve the goal of having a single entry for a data subject for efficient compliance. Prepare communications and processes to provide transparency in data processing, and ensure that consent by data subjects is “freely given, specific, informed and unambiguous.”

Where are we headed?

This trend toward privacy corresponds with a softening in the growth of third-party data platforms and a stronger growth pattern in the use of first-party data platforms. On a recent Google Marketing Live broadcast, the company discussed changes, including replacing personalized ads with contextual ads, supported by artificial intelligence, machine learning and user controls.

The Facebook family of properties (Facebook, WhatsApp, Messenger, Instagram) will also trend toward increased privacy through growing reliance on private groups, encryption of user data and reducing the permanence of information.

To sum it all up, this trend is just beginning, so data stewardship and user rights will impact marketing permanently.

Rights Under the GDPR

Transparency in Data Processing

This transparency puts the responsibility squarely on the company to use plain language (even though, ironically, the GDPR is not written plainly) and make it easily accessible. No technical jargon or legalese; the goal is for people to be able to understand their rights and take control of their data.

Clear on Consent

Consent must be “freely given, specific, informed and unambiguous.” In cases of sensitive personal data, it must also be “explicit.”

That statement means you cannot bury the request for consent inside another legal document. It needs to stand out clearly and plainly.

Data Subjects’ Rights

Right to Be Forgotten

The right to be forgotten is a key tenet of the GDPR. The “right of erasure” means the complete removal of your data from a company’s system.

If a company no longer needs your data, or if they used or collected your data unlawfully, then you have the right to demand deletion.

There are notable exceptions to this rule. For example:

  • The personal data your company is needed to exercise the right of freedom of expression
  • Or there is a legal obligation to keep that data
  • Or for reasons of public interest (e.g., public health or research purposes)
Right to Data Portability

Next is the right to data portability, which is the ability to move data from one controller (or company) to another, where possible. If you want to change doctors, sending your information to the new doctor must be in a format the clinic can easily use.

You can also request your information be deleted, but that will be subject to the laws in that jurisdiction. GDPR is murky regarding what happens if that data is not easily accessible or in a usable format.

Rights in Automated Processing

You have rights regarding automated processing—an interesting aspect of the GDPR.

Regarding automated processing, you have a right not to be subject to a decision that is based solely on automated processing. For example, if you applied for credit and automation rejected your application, you have the right to human intervention.

If you feel profiled through direct marketing, you can complain under the law. As marketers, we will have to watch this closely!

Of course, there are exceptions. Decisions cannot be made solely on automated processing unless the decision is:

  • Contractual
  • Authorized by law
  • Based on unambiguous consent

Personal Data Breach

In the E.U., if customer or employee personal information is stolen, lost or illegally accessed, it must be reported within 72 hours. Breaches are reported to the National Data Protection Authority, which has representation in every country of the E.U.

Data Breach in the U.S.

The U.S. has resources to help you understand what you need to do if you have a data breach, which varies state by state. One look at this website for the National Council of State Legislators will help you understand why it might be a good idea to have a U.S. federal law similar to the GDPR.

Privacy in the U.S.

There is no national legislation in the U.S. that is comparable to the E.U.’s GDPR. However, legislation in California may set a precedence for further regulation.

California Consumer Privacy Act (CCPA)

I mentioned the Brussels Effect earlier, and certainly GDPR has influenced what is happening in California as it overlaps with the GDPR. Here’s an overview of California’s privacy laws for its citizens:

  • Effective January 1, 2020
  • Discloses collection of personal data, the categories of information collected, the purpose for collecting and selling data, and the third parties with which data is shared
  • Authorizes consumers to opt-out
  • Allows businesses to offer financial incentives for the collection of personal information
  • Prohibits companies from selling the personal data of consumers under the age of 16 years
  • Requires data breach notification

Complying with the GDPR covers most of the actions of complying with CCPA. However, the argument goes that a U.S. federal law would avoid inconsistent and overlapping legislation, as we see with breach notification laws that vary across all 50 states.

Vermont Data Brokers Regulation

The first state to pass an act regarding the collection and brokerage of data was Vermont. Not much has been said outside of certain circles because it is very explicitly targeting data brokers. The primary tenets are:

  • Data brokers must register with the state of Vermont
  • They must take standard security measures
  • They must notify authorities of security breaches
  • Violations that constitute fraud will be enforced

What is unclear to me after reading the law is to whom it pertains. Is it brokers with a business address in Vermont or brokers that collect information on residents of Vermont or brokers that sell data within Vermont? The odds are that most data brokers fall into one of those categories. So to be in business today probably means being governed by this law.

Other Considerations of the GDPR

Does Not Apply to Anonymized Artificial Intelligence

When the data used for AI is anonymized, then the requirements of the GDPR do not apply. This caveat is good news for marketers because we rely on this data. We still need to provide notification through a cookie policy, but the right to erasure does not apply to this.

I know of marketers that no longer use any of Facebook’s demographic data in target marketing for their real estate client because of potential unintended discrimination.

Freedom of the Press

There is a specific effort within the new data protection rules to take into account the freedom of the press. Journalists can still protect their sources. The E.U. member states are required, when necessary, to provide for exemptions to the press in their national laws, too.

Clear Consent

If a company collects consent for a particular purpose, and then wants to use the data for a different purpose, or forward it to a third party, they must ask for consent again.

We all had a flood of emails re-confirming consent in the buildup to May 25, 2018—and this is exactly what all of these companies were attempting to establish and document.

As marketers, the way we write our policies associated with consent needs always to be looking to the future.

Breaking the GDPR

Penalties for violation of the GDPR are frightening! However, it is a range of penalties. As well as fines, there are warnings, reprimands and orders to comply with the data subject’s requests.

While €20 million or four percent of annual revenue is the absolute maximum amount, fines depend on the specific situation and the gravity of the infringement, the intent or negligence. Good faith efforts in compliance are taken into account.

Video Surveillance Is Covered, Too

Video surveillance is probably only relevant if you have a location in the E.U.; however, it is good to be aware that it is covered. In general, terms minimize the amount of video you collect. In the E.U., institutional buildings post notices of surveillance as a requirement. They display the purpose, length of time footage is retained, by whom and for how long. Of the three fines that have been dealt out so far, one was for misuse of video recording.

Compliance

“GDPR compliance is not possible without quality data, data management practices and the advanced capabilities to curate it.” – Forbes

Data Protection Step by Step

Here is a handy compliance checklist—hat tip to Proskaur.com. You should visit their website because unlike me, they are attorneys!

Step 1: Data Audit

  • Data Protection Impact Assessment (DPIA)
  • Done before each project with personal data
  • Goal is compliance
  • Determines risks and effects
  • Assesses policies and processes

An excellent place to start is a data audit. We discussed a DPIA earlier, which covers processes and procedures that measure risk regarding compromising the privacy of the individuals whose data are being stored, collected or processed.

The DPIA achieves three things:

  • Ensures compliance with legal, regulatory and policy requirements
  • Identifies the risks and effects
  • Evaluates protections and alternative processes to mitigate risks

Step 2: Structures for Processing Employee, Client and Customer Data

  • Create a single record for every person
  • Include ERP, CRM, structured data, unstructured and transient data
  • Watch for misspellings, duplicate names
  • Practice data minimization

Most of the conversations we have had with clients around GDPR center on website data—that seems to be what most people think of first with GDPR. It is my opinion that website data is probably the easiest part of your data ecosystem to tackle. What is more difficult is dealing with the data stored on internal systems.

Your overall goal is creating a single record for every data entity or person. This individual entry makes it far more feasible to comply with the right of erasure or portability. However, this is deceptively difficult to do because of data silos, infrastructure and legacy systems.

The single-record goal is where a modern ERP or CRM platform can help, but that mainly covers structured data. There might also be unstructured data, like location data or data stored in apps and any number of places. And you have to account for misspellings or duplicate names, family name repetition and other challenges. Anyone that has worked with ag data can attest to this!

Companies that have always had good data structure, hygiene and governance will have less of a challenge with compliance. However, companies plagued by disparate systems and data structures have a lot more to do than adding a cookie policy to their website.

Finally, remember that the GDPR wants you to collect as little data as possible. Collect only the data you need and only for a limited time—with exceptions.

Step 3: Data Protection Policies and Notices

Privacy policies have been around for decades, but as stated earlier, they need to be written in plain language and consented to in an obvious manner.

You also now need a cookie policy with the same criteria if you are tracking people on your site. Here’s an example from the U.K.’s Telegraph: https://www.telegraph.co.uk/about-us/privacy-and-cookie-policy/. They used 15 different categories to organize their policy, ranging from what they collect to adblockers to what to do if you believe they are not compliant.

One important thing to put in your policy is where the data is stored. And, the Cloud is not literally a cloud, so know the location of your cloud server, and if you have redundancy of data, the locations of all your cloud servers.

From a web development perspective, the technology you need to add these notices is pretty straightforward and often comes in a simple plugin or an additional bit of code.

The more significant challenge is writing for future use of data, especially with the way that explicit consent works. Remember that if you decide down the road to use data for a different purpose than originally intended, then you will need to ask for permission again.

If you have gone through asking for consent a second time you know what that can do to the size of your subscriber list.

Finally, documentation is essential. You must have a trail of proof points of consent for everything you are doing with your data.

Step 4: Agreements about the Transfer of Data, Including International Transfers of Data

Of everything we have covered, the Transfer of Data is the most complex. In general, the GDPR permits “data transfers to a third country or international organization subject to compliance with set conditions, including conditions for onward transfer.”

If you need to transfer data, get legal counsel.

Step 5: Default Data Retention Periods

The next step is to set policies based on retaining data for the least amount of time possible while still complying with the law. There may also be data you have stored from which you cannot delete specific records, such as backup tapes. Or there may be ways to encrypt or anonymize the data that would allow compliance.

Step 6: Processes for Handling Data Breaches

1. If the breach is of high risk to a person’s rights and freedoms, the company needs to inform the persons immediately. The high risk would be something like credit information, social security numbers or health information. It is a little gray on whether it includes someone’s physical address.

2. When you report, use clear and plain language in the following four areas (from gdpr.eu):

  • Describe the nature of the personal data breach including the categories and approximate number of people involved.
  • Communicate the name and contact details of the data protection officer.
  • Describe the likely consequences of the personal data breach.
  • Describe the measures taken or proposed to be made by the company to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

3. Unless the communication is not required under any of the following conditions:

  • Appropriate protection measures apply to the data affected by the breach, such as encryption.
  • If the company has taken steps to ensure that the risk to the person is no longer likely to happen.
  • If it would involve disproportionate effort to contact the persons compared to the breach. When that’s the case, there can be a public communication or similar effort for notification.
  • If the company has not already communicated the breach, except to the authorities, they may require the company to disclose it to the persons or publically.

Step 7: Data Protection by Design and by Default

I think this represents the E.U.’s long-term goal for the GDPR.

  • This concept within the GDPR is not new. Previously it was known as “privacy by design” and was always part of data protection law. Now it is a legal requirement.
  • Plan for data protection and privacy issues from the beginning. Not only for compliance with GDPR’s fundamental principles and requirements but a focus on accountability when data is involved.
  • Safeguard data through appropriate technical and organizational measures.
  • Integrate data protection into your business processes, from the design stage through the lifecycle of the data.

Step 8: Data Security

Finally, a few key points about data security:

  • Ensure that the software, systems and processors you are using are GDPR- compliant. Most CRM systems such as SharpSpring, Hubspot, Marketo and Salesforce are GDPR compliant, but that might not be the only place where your data is stored.
  • Securing data also means you need to regulate who has physical access to data. Keep records of who has access and their level of clearance as part of the required GDPR documentation.
  • If your company processes data, document the use of physical and electronic access controls.
  • Anonymize, encrypt or pseudonymise data whenever possible for an extra level of security.

ePrivacy

And just when you thought the GDPR was enough, there has been a recent addition called ePrivacy.

Its purpose is to cover electronic communications, online marketing and advertising. Within this is a significant impact on marketing technologies. It’s meant to update the laws controlling the use of metadata, which is gathered through tracking technologies including, but not limited to, cookies.

From the E.U.’s perspective, this regulation aims to curb the profiling and behavioral advertising that underpins the adtech business model. They hope to achieve this by requiring transparency of purpose and explicit consent.

The language around this is pretty remarkable to a marketer. “The ePrivacy Regulation will hopefully help support alternative models that don’t use aggressive tracking by putting the emphasis back where it should be: respect for privacy. There will be a first-mover advantage for companies that embrace strategies which build in privacy by design and default. Going beyond mere compliance and offering an actual exchange of value with insights, incentives and offers in return for customers providing their data voluntarily without the use of opaque and intrusive tracking technologies.”

Our livelihood as marketers has become an insult to regulators, which is a window to where privacy issues will take us in the future.

Thriving Despite the GDPR

Dan Vanrenen, from a company called Taskeater in the U.K., has found ways to thrive within the GDPR, especially in the realm of B2B marketing. The way his company looks at it, the GDPR is about protecting personal data, not about stopping legitimate businesses from functioning.

Using personal data for lead generation and prospecting is essential to successful sales campaigns. But despite protecting personal data, the GDPR doesn’t stop prospecting or collecting leads. However, it does expect a higher degree of transparency and record-keeping during the sales cycle.

From Taskeater: “Under the GDPR, the personal data you collect should be adequate and relevant to the purpose of its processing.” If you are doing this correctly, your target audience should not be surprised to hear from you.

Collect Only the Data You Need

Remember, minimizing the data is a tenant of GDPR. The keys to this are:

  • Accuracy in selecting geography
  • Appropriate industry
  • Correct company size
  • The proper person within an organization

It remains the responsibility of marketers to make sure that any lists they buy or rent are fully compliant under the new regulations.

Communicate Your Legitimate Interest in an Email

There are legal and appropriate measures, including legitimate interest that allows you to collect and store data under the GDPR. Legitimate interest applies if your interests outweigh an individual’s right to privacy.

Detailed record-keeping is the key to proving that your rights and an individual’s rights are in balance.

If appropriately targeted, your prospects should find it easy to understand your legitimate interest.

You can include an explanation in your email about how you found their contact information and why you reached out to them. Also, provide control by making it easy to opt-out.

Opt-out and Mean It

Most CRMs are already GDPR compliant, so use those platforms correctly and include a simple way to unsubscribe. Suppress that address in your list, follow the process to remove that person from your system and stick to  that process consistently over time.

Regularly Cleanse and Maintain Your Database

The GDPR requires you to regularly remove data you are not using or data that is no longer accurate. Tag or label your data to track your activities.

Prepare Messages for GDPR Complaints and Questions

This communication is where good record-keeping comes in. You should be able to explain where the data came from, why you are using it and why it is relevant to the data subject. Request records from your data suppliers to comply with this en masse.

Conclusion

Resources, Credits and the Cure for Insomnia

Print’s Place in a Digital World

Warning: No Lifeguard on Duty. Swim At Your Own Risk.

Is Artificial Intelligence Making My Job Obsolete?