Here’s why GDPR can drive the attitude shift that modern marketing needs
After Equifax and countless other user data scandals, brands outside as well as inside the EU may be crossing their Rubicon.
If you listen to the buzz about the coming onset of the General Data Protection Regulation (GDPR), you might think you have to throw out all your brand’s tech and data and start over.
But recent chats with two privacy-conscious managers — Episerver General Counsel and Vice President Peter Yeung and TrustArc Senior Global Privacy Manager Darren Abernethy — suggest that, while GDPR compliance will require some changes at your company, perhaps even some big ones, the biggest change will be in attitude.
In fact, the change could be comparable to what happened with brands’ environmental consciousness over the last decade or two. That change is reflected in the likelihood that, when most brands build a new factory, develop a new product or create new packaging these days, they have green energy, energy conservation, efficient resource management, waste product management and similar environmental concerns at top of mind.
And they let their customers know about what good corporate citizens they are.
In a way, that sounds like the emerging attitude of many brands that have a major European Union presence, but it’s for GDPR and consumer data.
“For every European company,” Yeung told me, “it’s top of mind.”
Although based in Stockholm, his company — which offers a content management system and e-commerce platform — has a substantial presence in the US, so his perspective is both inside and outside the EU.
“At any contract negotiation [for an EU company],” he added, consumer privacy and GDPR compliance “is the first thing they talk about.” Any new products from these firms include a data privacy impact report, just as they might include an environmental impact report.
Several basic principles
While GDPR is EU-centric, it applies to EU citizens wherever they are. It remains to be seen if GDPR intends to enforce its regulation outside the EU, but most major brands have major presences in Europe and it will likely be too complex to maintain two different standards of privacy.
Plus, given the outrageous Equifax hack, the Facebook flood of targeted Russian propaganda, and the endless reports of zillions of hacked personal data records from virtually every kind of repository, we may be crossing some kind of Rubicon in terms of US consumer expectations for the handling of their information.
So, for any brands that see a Rubicon in their near future, Yeung points to a few basic principles to keep in mind as they adopt a GDPR mindset.
To begin with, systems should be designed and maintained for personal data portability, personal data retention and personal data destruction, and companies need to validate the time that they hold data — e.g., their sales cycle is a year. Encryption should be enabled by default, and personal data anonymized wherever possible.
This doesn’t necessarily require rebuilding your systems from the ground up, Yeung pointed out, but it could require complementary code or systems.
TrustArc’s Abernethy goes further in describing the attitude shift. His company (formerly TRUSTe) helps brands comply with privacy and other regulations.
First, he said, there is the EU concept that privacy is a fundamental right, that it’s not an outdated concept that tech mavens can wave away like so much bothersome smoke.
He noted that the continent has been operating for the last two decades under a Data Protection Direction, which had been implemented in different ways by 28 member countries. Now, GDPR replaces the Direction with a continent-wide set of rules.
The user does
Second, he said, GDPR ends the debate over who owns the user-generated data, and leaves no doubt.
The user does.
And, third, brands that handle user data need to implement a new, company-wide layer of management: governance of personal data.
That governance comes in many forms, but it could mesh well with the “customer-centric” approach that many brands are today professing.
Privacy needs to be built in, so that individuals have the ability to control their own data.
EU citizens will be able to require that data about them be deleted or given to the user, meaning that there will need to be systems for actively monitoring where that data resides, how it’s being used or shared, how it’s being protected and so on.
If they become GDPR-conscious, brands will also need to reorient how much personal data they collect and why.
Right now, by contrast, the attitude among many brands is to collect as much data as possible so as to predict, personalize and pitch as granularly as possible.
A ‘GDPR-compliant’ tag
But GDPR requires companies to adopt a “data minimalization” approach, where they don’t collect information unless needed. And they understand that personally identifiable information (PII) is more than just your name, street address, email and phone number. It also includes IP addresses, device ID and geolocation, because if you collect enough of those “non-PII” data points, you can pinpoint the person.
Abernethy notes that GDPR doesn’t spell out everything brands must do, but a company with a new attitude toward consumer privacy understands instinctively that hashing or otherwise protecting device ID, geolocation and similar data means that the company is “mitigating risk.”
And the biggest attitude change, Abernethy said, is that companies must become pro-active about users’ personal data, not reactive.
To oversee this new and comprehensive set of attitudes, more and more companies will be hiring senior Data Protection Officers. But the expense and effort of new data officers, attitudes, governance, systems, tech and policies may be worth a lot more than just avoiding any possible GDPR fines.
When given a choice in the market between a product made by a company that is out in front on the environment and a similar product made by a company that isn’t, I’m not the only one who would eagerly choose the former.
Certainly, after the tipping point of the Equifax fiasco, I can say the same applies to companies making a big effort to defend my privacy. And I’m much more likely to offer my personal info to those companies, so they can show me products I actually want to buy.
If I were a forward-thinking marketer, I’d make sure I could honestly slap “GDPR-compliant” tags on everything I sell.
“Marketers shouldn’t fear GDPR,” Abernethy pointed out, because of one bottom-line fact: the principles of privacy can also “make marketing more relevant to individuals.”