Data privacy and security are two completely different agendas, but what they have in common, is that they rarely come by default. The digital marketing industry needs to find the right ways of addressing these two separately, for both minimising privacy threats and providing strong security posture at the same time. Below we have some thoughts on how this can be achieved.
Why security and privacy are essential but not interchangeable?
Companies that take appropriate technical and organisational measures to ensure data they store resides safely on their in-house or outsourced infrastructure are following, what is referred in GDPR as the security principle (note: not the privacy principle).
Following it usually involves conducting anything from controlling organisational policies to relying on cybersecurity services for comprehensive risk assessments. Similar obligations will also have to be addressed by data processors, so companies that deal with data, as instructed by data controllers.
Data processors too will have to provide enough evidence, if requested, to prove the process and transfer customers data in a manner that ensures appropriate security of the sensitive information. Depending on the type of data they are dealing with, it might be even obligatory for companies to use extra security measures such as encryption and pseudonymisation.
Since the set of obligations that will have to be met under the GDPR safety principle require implementing right practices, and cybersecurity measures e.g software to mitigate damaging consequences of malicious cyber attacks, security emerges as a term that describes the efforts that come with building resilience against very “external threats”.
Privacy, on the contrary, is broadly understood the right of any individual, to be let alone and carry on unbothered. Usually, when we say that someone's data privacy was violated, we mean that regardless their will they have lost or been deprived the ability to control, manage, delete and even influence the flow information about them. The threat then comes from bad data management and as a result can be classified as an example of internal threat, as it comes directly from the company that orders the collection and manages processing process of that data.
One can imagine possible privacy threat scenarios how marketing companies might fail under this rule. Beginning from the excessive collection or disclosure of personal information to missus of that information without obtaining unambiguous consent. Empirical examples of these activities include aggressive marketing behaviours that include - abusing the “legitimate interest” for continuous tracking customers around the Web or the pre-ticked boxes generating forced consent for accessing sensitive information.
Achieving the right balance
Achieving the right balance between security and privacy measures can be a daunting task for marketers, yet it has never been more important to go with the legislative flow than it is now. To quote the sixth director of F.B.I Robert Mueller - “There are only two types of companies: those that haven’t been hacked and those that will be”. With the growing rise of cybersecurity attacks, the chances that malicious actors (or the cybercrime entrepreneurs as they are sometimes called), will start targeting data collectors and processors, is only a matter of time.
Marketing firms are of course in the group with a greater risk, because of the large volume of data they are collecting and aggregating in their often disorganised data swamps. But building resilience against cyber-security incidents is not only compulsory because of the GDPR compliance, it is also key to the business continuity. Many businesses in the past saw their services hampered for days, if not weeks because of these attacks.
As for data privacy, realistically there are two aspects of the new European regulations, that need marketers’ special attention - data permission, data access. In essence, it means companies that collect and process data can carry on doing so, but without restricting customers knowledge about what is happening to information they provide, with whom it is shared with, and how it is monetised.
Those who scramble to start building their walled privacy gardens are encouraged to conduct Protection Privacy Assessments codes of practice - PIAs, that although not required by the law, are often the only way to achieve the “privacy by design” status, that many organisations claim to have just by installing security software. PIA allows marketers to navigate through murky waters of privacy permissions that will result in creating fair codes of conduct for their clients and customers.
Starting from step-by-step introduction on how to obtain “freely given, specific, informed, and unambiguous” consent, to preparing procedures for letting their customers erase their data whenever they feel like doing so, PIA is a useful tool that not only provides rigorous check of compliance with GDPR but also shows companies readiness for accountability.
It might not sound like much now, but it is the very door to the privacy by design that has to be addressed if marketers want to show that they take people’s concerns about data privacy seriously.