In May 2018, the GDPR (General Data Protection Regulation) comes into force in the countries of the European Union. A text that’s been ready and prepared for some time now, it introduces a lot of changes for companies that process personal data… so virtually all companies in other words! Both easier to understand and offering greater protection, this new regulation imposes new obligations on companies, particularly those for whom big data is central to their business activity. These changes will have as much impact on advertisers as they do on agencies. Explanations.
The three main principles behind the GDPR
Privacy by design, accountability and joint responsibility between those with primary responsibility for processing data and subcontractors. These three principles may seem a little unclear at first sight, but they form part of the new obligations set to transform the way in which data is managed.
Privacy by design
The term ‘design’ here has nothing to do with art or illustration. It signifies instead “from initial conception”. Privacy by design can be interpreted to mean “protection conceived as a default component, and from the point of initial creation, of any project involving the processing of data.” Beyond the lexical field involved, what counts is adapting the framework within which the data is collected and used. The protection of personal data is not simply a matter of company philosophy or values. It is a principle established in law. Every company must prove that it has taken the question of data security and protection into account, right from the very first time the data is processed. What is involved, therefore, is a set of restrictions that enable the better management of the flow of data. Got a new mobile app? A new email campaign strategy? Content to share with your community? The question of data management will need to be taken into account in just the same way as the web design and user experience aspects and your commercial objectives.
This is the principle of ensuring that individuals in charge of processing personal data take responsibility for what they do. Every company will need to assess and evaluate its policy and related risk management measures so that it can develop and introduce properly adapted measures. What should you do if you are the target of a cyber attack, data theft or hacking? How does data transit between your various services/departments, and who can access it? What action are you taking to protect the data whilst at the same time maintaining confidentiality and ensuring requests to have data removed or modified are properly complied with? The work involved in introducing shared, global responsibility requires the participation of all implicated parties within the company, and they need to be coordinated by someone who can steer the process, i.e. a project leader or a person given responsibility for data protection (often termed a “DPO”, which stands for Data Privacy Officer). Placing the blame on internal politics or out-of-date processes is not an option. From the moment you begin processing personal data for the purposes of a defined objective (e.g. the collection of data for an email campaign), you become responsible and must be able to evidence the measures put in place in terms of protecting and securing processed data to the relevant national supervisory body (e.g. CNIL, the national commission on informatics and liberty, in France).
Joint responsibility between those with primary responsibility for processing data and subcontractors
With many companies relying on subcontractors, subsidiaries or partner organisations where processing their information or working with their data is concerned, the resulting dilution of responsibility was preventing both the development of awareness and the use of responsible good practices. The introduction of the GDPR obliges those companies that delegate tasks to subcontractors to ensure that such subcontractors properly adhere to the new rules in place. This means that subcontractors must comply with the new GDPR requirements and prove that they process all their client’s external data in the same, consistent manner. Should a company fail in its task, it will not have the option of blaming it on a partner organisation.
Providing proper GDPR training for your employees
Because it affects all departments and services in the company (marketing, communications, sales, customer support, human resources, etc.), the GDPR needs to be implemented in the organisation in a structured way. Everyone must be included in the awareness raising process, from the sales representative using a CRM system for prospecting purposes and the marketing manager who uses inbound marketing techniques, through to the HR assistant who looks for new talent on LinkedIn.
Special training sessions play a particularly important role in this process of awareness raising. Not everyone needs to know all the ins and outs of the GDPR in detail. However, everyone does need to be aware of its impact on the core aspects of specific professional activities. Developing and delivering training, via either distance learning or face-to-face sessions, is essential when dealing with a topic such as this. This training also needs to be updated regularly and the knowledge imparted verified on a regular basis. Here again, responsibility for ensuring that employees are familiar with the rights, duties and obligations set out by the GDPR lies with the company.
GDPR compliance: a mark of assurance
For organisations, such as Kwanko, that manage millions of data items and act as intermediaries and facilitators with respect to advertisers, GDPR compliance serves as a gauge of quality assurance. The need to carry out work in this area was anticipated well in advance and has enabled a set of legal restrictions to be transformed into an organisational opportunity, providing a chance to rethink and optimise the way in which we manage data that is relevant, useful and high in added value for our clients. Rethinking an internal policy in this way is absolutely essential in terms of successfully adapting to the fast-evolving big data sector, a sector that is helping to bring about ever-increasing improvements in working efficiency by providing new gauges of quality and assurance.
Preparing for the GDPR involves fundamental and thoroughgoing work that can take time to complete. However, according to several studies published last autumn, the majority of companies were neither ready for these challenges nor aware of them at the time. Hence the increasing importance of raising awareness of these changes, which are set to enable the European Union to better adapt to the new realities of the digital world.
And how about yourself, are you ready and prepared?