In the wake of scandals like the Cambridge Analytica data breach incident in March, there is definitely a conversation starting to happen around the ethics of consumer data collection and how to carry that process out. Most recently marketers have been preparing for the General Data Privacy Regulation (GDPR) coming into full effect on May 25th, 2018.
The new legislation, enforced by the European Union, aims to heighten protection of EU citizens' data, through tightened rules on how to obtain, process, store and share their information. Despite the GDPR being a tool to protect EU citizens, it does not only target businesses based in that region alone. Instead, it targets any and all data collectors seeking to store EU citizen data–meaning, Canadian businesses who provide their service to EU-based consumers and collect their data are required to comply with this legislation.
Non-compliance with the GDPR puts companies at risk of severe repercussions. Various violations of the GDPR pose fines of up to €20 million, or 4% of a company's global annual revenue, whichever amount is greater. Therefore, companies need to understand the legal requirements of the GDPR and ensure they are on the right track to compliance.
There are a few main features of the GDPR that marketers must pay attention to.
One of the GDPR's main goals is to improve transparency between data collectors and consumers and build a better system which puts consumers' protection first and foremost, and clearly communicates that to them. In marketing terms, EU residents filling out your lead form or completing a purchase requiring information collection must be informed explicitly why their data is being collected and the intention behind it.
For instance, if your business requires consumers to fill out a lead form you must ensure you explain to the consumer how their data will be used. If you plan on sharing their data with affiliates, track their activity on your website through pixels, or retarget them through emails, you must clearly state these intentions when asking for consent. GDPR stresses that 'opt-out consent' will no longer be accepted as a form of request for consent as it is ambiguous and does not fully articulate the intention behind data collection.
It is also important you remain transparent in your request to repurpose a consumer's data at any point during the relationship with them–even after said relationship has ended. Under the GDPR, consumers also have 'the right to be forgotten', meaning they are able to request their information be permanently deleted from your company's database as well as any third parties who were processing or owning that data as well. The one downside of this request is that it will limit a company's efforts to build accurate performance reports and trend forecasts based on consumer data, if they lose a significant amount of it in the long run.
The GDPR is also putting a lot of scrutiny on how organizations store and safekeep people's data. The information can only be used for the specified and intended purpose the consumer agreed to initially during data collection, otherwise the company is at risk for a violation fine. Additionally, sharing a person's data with a third party requires another request for consent and clear communication of the intent behind the move.
Companies must securely store this information and hold records of consent to prove compliance to GDPR standards to avoid fines, as well as records of the policies they are using to govern data collection and use. Canadian businesses operating their services in the EU are advised to audit and assess the current methods of data collection and protection in order to ensure they comply with GDPR standards.
They must also disclose any data breach or leak to data subjects as well as GDPR security provision within 72 of discovery to avoid significant fines.
There's been a debate circulating about how fair the GDPR legislation is on marketers. Steep fines and "unrealistic expectations" are a few of the named concerns out there, with some agreeing that the legislation provides more harm than good to retailers and businesses under the guise of protecting consumer data.
On the other hand, we think the GDPR is a step in the right direction for the industry. It will force businesses to educate themselves about consumer data protection and build better, transparent relationships with their customers which will surely positively impact brand loyalty.
There is no doubt that while the GDPR is currently localized to EU citizens, stricter data controls are certainly going to be enforced worldwide soon, and Canadian retailers need to take a closer look at the ethics behind their current methods of data collection and storage to ensure they are keeping up with the current global concern for data protection.