We now have a digital infrastructure that was unimaginable 20 years ago and data protection laws are converging across the globe. In the past, businesses would tend to see themselves as the owners of data, but the new General Data Protection Regulation (GDPR) places the power back into the hands of consumers. They have been given back control of their data, with new and stronger rights.
Consumer trust is ever more central to both business and the public sector, and a rapidly expanding digital economy is asking more questions of us all. GDPR mirrors the DMA’s long-held view about the need to place consumers at the heart of everything we do – and echoes our commitment to a code that enshrines five key principles:
- Put your customer first
- Respect privacy and meet your customers’ expectations
- Be honest, be fair, be transparent
- Exercise diligence with data
- Take responsibility, be accountable
By looking at how these key principles interlink with the main themes of GDPR, marketers will better understand their role within GDPR and how they should act accordingly.
Why does compliance with GDPR require organisations to put the customer first?
At the heart of the GDPR is the power of accountability, a key driver to ensuring companies can truly demonstrate compliance with the new legislation. The principle of accountability forces all companies to view what they do through the eyes of the customer and put their needs first. It makes them take a step back and look at everything they do with data and be able to produce evidence of why a decision was made. The Information Commissioner’s Office (ICO) has elevated the importance of accountability and made it a priority.
“Arguably the biggest change [as a result of the GDPR] is around accountability. The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks,” Elizabeth Denham, UK Information Commissioner said in January 2017; “It’s about moving away from seeing the law as a box-ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation.”
Accountability must be driven from the top down, from the boardroom throughout the entire organisation, so that a cultural drive towards compliance can be demonstrated. Ensuring an organisation builds a culture of accountability, transparency and trust is the responsibility of the CEO working closely with the Data Protection Officer (DPO).
Do meeting customers’ expectations mean respecting their privacy?
Privacy is a key ingredient of accountability and is an important aspect of meeting consumer expectations. It should be embedded into every process from the beginning. Each organisation must make its own assessment, and take privacy into account when developing products and services.
It is up to senior management to lead by example and implement data protection principles throughout the company, and ensure that training around data privacy and GDPR compliance goes beyond employees in the legal and compliance teams. It is everyone’s responsibility.
How can marketers be honest, fair and transparent with consumer data?
Fundamentally, accountability requires marketers to interrogate their processes by making sure data is collected lawfully, fairly and transparently in the first place; it must be securely stored, and legally and securely processed or moved. Ultimately, it is about being able to produce evidence that you have complied with GDPR.
All marketers should have answers to questions like:
- Why are we collecting this?
- What legal grounds do we have to do this?
- What impact will it have?
- What are the risks to consumer privacy?
- How will the personal data be kept safe and secure?
Many organisations will need to make fundamental changes to update internal business processes.
What measures should you implement to exercise diligence with consumer data?
There are a variety of strategies and measures that can be implemented to help mitigate potential risks to individual privacy, as seen below. Marketers should be aware of them, implement them where appropriate and ensure any steps towards demonstrating compliance are recorded and are totally visible.
- Carrying out a data audit is a useful first step towards accountability.
- Data Protection Impact Assessments (DPIAs) are tools designed to help organisations assess the privacy impact on individuals where the processing is likely to result in a high risk to their rights and freedoms. The assessment results can then be used to identify ways to mitigate the risks or take another approach to avoid them.
- Data minimisation is the idea that marketing teams should only collect personal data that is required to meet their objectives. This has always been a key requirement of data protection law, but the GDPR emphasises it. For example, a direct mail campaign aimed at an affluent postcode area may only need names and addresses to succeed. Therefore, only names and addresses should be collected for marketing campaigns, rather than requests for emails and other types of personal data being made.
- Data retention periods: This is where an organisation promises to only hold a piece of personal data for a limited period. It is also a key requirement of current data protection law. For example, when the marketing campaign is complete, then the personal data is deleted.
- Transparency: Examine your privacy and information notices to ensure that they’re written in clear and plain language suitable for your target audience.
- Encryption and hashing: Use these techniques to encrypt the personal data to prevent data subjects being identified in the event of a breach.
- Preference centre: This is about giving people as much control as possible over the personal data you hold about them. For example, an organisation could allow people to access personal data held about them and update it on their website. DMA research shows that consumers want more control over their personal data.
Take responsibility, be accountable
These measures will help marketers and organisations to lower privacy risks and are a crucial part of taking responsibility and being accountable for your consumers’ sensitive information. Once you understand and accept the accountability elements of the GDPR, you will be in a stronger position to adapt, evolve and respond to issues from May 25 2018.
Companies that build a culture with accountability at their core show a clear intent to be GDPR compliant and can expect a more collaborative approach from the ICO, should challenges arise.
Assuming that you and your organisation take this on board, we will move towards a landscape where brands truly place their customers first, genuine and transparent value exchanges occur, and both business and consumer are equally protected.