The EU General Data Protection Regulation (GDPR) is a complex topic. So to explain it in a very human and (hopefully) humorous way, I first want to use an analogy about borrowing a car.
If you want me to lend you my car, Id first ask you to please explain why you need to borrow it and how you will use it.
If you tell me that you will use it to take your grandmother to her doctor appointment and that you will bring it back to me in three hours, please dont keep it overnight and let your cousin drive it to a rave in a neighbouring country.
If I agreed to lend you my car only, dont also use the bunch of keys Ive given you to enter my house.
If I ask you to give back my car, please bring it back in one piece, not with the passenger seat missing.
And if you are renting a car, go to a reputable company where you can ask about all aspects of the car; dont close a deal to rent a car with a man you know nothing about standing beside a parked car on the street. It may be stolen.
The gist is, if you treat personal data as your customers personal belongings, you are far more likely to keep that customer happy.
The GDPR forces all players in the industry to adopt pro-consumer strategies, or face penalties.
As any marketer, agency or publisher in the EU will attest, readying for compliance with the GDPR is a tremendous undertaking. The legislation gives a framework of operational requirements: keeping a data inventory, carrying out privacy impact assessments, implementing processing and transfer agreements, and so on.
The lawyers will be setting the programme for this activity. But alongside the legal programmes, marketers should be focusing on these four best practices.
Transparency to consumer
To my mind this is the single most important plank of the GDPR. The rationale is simple. If consumers are to exercise control over the use of their own personal data, they need to understand how it is proposed to be used.
Under the GDPR, businesses must work much harder at articulating the individual activities they will undertake with a consumers data, whether executed by themselves or by partners. When in doubt, tip in favour of more disclosure, and be sure to keep it specific. Always use plain, unambiguous language to explain the “who, what, and why” of processing.
Tag / Pixel Management
Tagging sites and devices to collect data is central to online marketing. An average webpage may have well over a hundred tags sending data to different parties. Imposing controls around the setting of tags and allocating responsibilities for their management is important, relatively easy, and effective in good data stewardship.
Data life cycle
The GDPR demands best practice considerations in personal data capture and attention to the full data processing life cycle. One persistent challenge is ensuring that every employee or vendor who has access to personal data is educated on the requirements and the importance of good stewardship.
Access protocols, multi-factor authentication and appropriate employee education and training are the first line of defence in managing dissemination of data. Its also important to ensure protections are in place mitigating risks of data loss.
Third party audiences
In many jurisdictions, the weight of regulatory obligations sits on the shoulders of the “data controller”. That is usually the party collecting the personal data and determining the purposes for which it will be used. Its important to remember that everyone in the supply chain is ultimately exposed to consumer backlash for any mishandling of personal data.
Ensuring you have effective contractual warranties and indemnities through supplier contracts is essential in managing the apportioning of liabilities in the event things ever go wrong.
In media buying, this issue is most acute when acquiring audiences or data to augment existing audiences or data sets. The rule of thumb: if you are using personal data provided by a third party to target your advertising, be sure that the data vendor has exercised the same care to personal data collection and handling as you exercise with your own customer data.
Overall, the GDPR promotes the view that personal data is a highly-valued personal possession belonging to individuals, and consumers increasingly also expect brands to act accordingly.
In the EU, personal data may no longer be taken for granted by marketers as a rich seam of information to be mined and utilised for any purpose they deem fit. Marketers, agencies, and publishers everywhere would do well to arrive at this same conclusion.