“Data-Driven Thinking" is written by members of the media community and contains fresh ideas on the digital revolution in media.
Today’s column is written by Adrian Newby, chief technology officer at Crownpeak.
After months of planning, budgeting and restructuring ahead of the General Data Protection Regulation (GDPR), it seems many organizations are still struggling to implement a successful compliance program.
While companies may think they are on the right track, many are inadvertently making mistakes due to widespread misconceptions.
In the modern era, it is easy for marketers to think about “information processed wholly or partly by electronic means.” We use this data every day in our digital marketing programs. However, it is important to understand that GDPR’s predecessor, the Data Protection Directive, and now GDPR also protect “information processed in a non-automated manner, which forms … a ‘filing system.’” Yes, that’s right, good old hard copy is also protected.
Under GDPR, “personal data” has also been overhauled. Personal data is now any information that describes an individual or can help identify them when used either on its own or in combination with other data elements. This more expansive definition now includes cookies, IP addresses and device IDs, as well as more traditional elements such as age, sex and address.
But there’s more. Under GDPR, not all personal data falls under the same umbrella. There is a subcategory that comes with even stricter rules: sensitive personal data.
This includes information relating to race, ethnic origin, health, sex life, sexual orientation, political affiliations, trade union memberships and religion – none of which marketers may use for campaign targeting unless they have the subject’s explicit consent, which is an even higher standard of consent, or the communications can be carried out by a nonprofit with political, philosophical, religious or trade union goals under significantly restricted and safeguarded conditions.
This distinction of sensitive data is not new. It was present in the Data Protection Directive and has roots that go even further back to 1981 with Convention 108, the world’s first legally binding data protection instrument. However, none of those earlier legislative and regulatory actions caught the public imagination in the same way as GDPR has and many companies are consequently unaware of the different standards that can apply to certain categories of personal data.
Another pitfall: Believing that GDPR only relates to data that has been provided by users
For most businesses, the core element of GDPR has been consent. Many have concentrated their compliance efforts on opt-in emails sent in the run-up to deadline day and the compliance notices that now greet users on almost every site. But consent isn’t everything, and it has distracted companies from two other vital data protection issues.
First, GDPR doesn’t just apply to data processing, storage and use – it also covers the information companies already have. Firms must take a closer look at their existing data pool and establish whether they have a lawful basis to keep it. If not, they must either purge the data or establish a GDPR-compliant lawful basis.
Second, companies must give due attention to third-party data partners. In the case of data sources, they must verify that the sources’ data subjects have consented to collection and processing by third parties. This poses issues for companies that have used data scraping or mining techniques.
It also places a unique burden on website owners. A typical site has 75 technologies running on it from tracking to analytics, yet around two-thirds of marketers are not aware of at least some of these, making it impossible to know if data is being shared with them in a compliant manner.
Putting vendor data processing under greater scrutiny will help firms avoid fines, but understanding digital supply chains will also assist organizations in rationalizing their tech stack, tightening budgets and reducing user experience issues such as excessive latency. Understanding how data is shared throughout this complex network is also vital for notifying data subjects in the event of a breach.
A final pitfall: Focusing too little on data breaches
Finally, the heavy emphasis on data collection and processing has overshadowed stringent GDPR guidelines on data breaches. Consequently, many companies are neglecting one of the regulation’s most important parts: the responsibility of a firm to avoid a data breach and inform the relevant parties within legally established timeframes if one occurs. Cybercrime is growing, and with major companies such as Adidas, Sears and Kmart experiencing breaches this year, this could be the aspect of GDPR that requires the most work.
Article 33 states that the responsibility is on the data controller to inform the authorities for the relevant country within 72 hours of a data breach discovery. It must also inform the data subjects if significant harm is reasonably foreseeable or if the breach is sufficiently large, reinforcing the need for companies to have visibility and proper control over their digital supply chains.
Companies must also know their own role. If they are acting as a GDPR controller, then all of the above applies. If, however, a company is a processor under GDPR, then its obligations shift to informing and working with the controller, assuming, of course, that it knows who the controller is.
To manage these significant consequences, team training is crucial because GDPR considers emails containing personal data sent to the wrong addresses, personal information mistakenly left in a public place and data shared inadvertently to be breaches.
The work still to be done
More than one month after GDPR’s introduction, nascent compliance programs show many companies have veered from the legislation’s path when approaching GDPR.
As the pressure cools, companies must not slow down. They must move beyond the hype to understand the letter of the law and refine their programs to ensure they cover the full scope of the regulation. It is vital that they recognize that data governance is an ongoing journey that adapts to case law as the regulatory authorities strike and embodies consumers’ expectations for data collection and use.