Data is one of the most powerful currencies in today’s society. The sheer scale of its accumulation and the seamless speed and simplicity with which it can be shared, combined with its transformative uses in business make it a coveted commodity quite unlike any other.
However, as the adage goes: with great power comes great responsibility. While data has the potential to build and recreate the way we interact with the world, in the wrong hands and in the wrong contexts it can be both destructive and invasive. This is why businesses that handle any type of customer data are subject to stringent laws and regulations governing its usage – and data breaches and improper use carry significant consequences.
General Data Protection Regulation (GDPR) is one of the world’s toughest data protection laws. While it was developed by the European Union (EU), its requirements are not restricted to EU-based companies: its laws apply to organisations across the globe that collect or track data from consumers or website visitors from the EU. Its aim is to give EU citizens greater control over their data, and assurances that this information is securely protected across Europe.
Under the GDPR law, which came into effect in May 2018, EU data protection authorities can issue fines of up to €20 million, or 4% of worldwide turnover for the preceding financial year, depending on which is greater.
Personal data constitutes elements such as: individual names; company names; home and email addresses; photographs; social media posts; banking details; medical information; location information; browser history; and computer ID addresses. Essentially, it covers any personal information related to online interactions.
As GDPR relates to the processing of personal data, Privacy and Electronic Communications Regulations (PECR) relate to electronic marketing – monitoring the use of tools such as cookies, marketing calls, email marketing and texts. As business-to-business (B2B) operators handle so much sensitive data, they are one of the groups most affected by GDPR regulations.
Individuals have certain rights under the GDPR:
- Consent has to be given
- The right to access
- The right to be forgotten
- The right to data portability
- The right to be informed
- The right to have information corrected
- The right to restrict processing
- The right to object
- The right to be notified
All of these rights must be factored into how a company collects, uses, stores and shares data.
To date, the biggest GDPR fines include:
- Amazon – €746 million ($877 million) for issues regarding cookie consent
- WhatsApp – €225 million ($255 million) for not adequately explaining its data processing practices
- Google Ireland – €90 million ($102 million) for not making it simple enough for users to change cookie settings
- Facebook – €60 million ($68 million) for failing to obtain cookie consent from to users.
Other notable penalties – issued to global giants such as H&M, British Airways, Marriott, TIM and Enel Energia – were for various breaches including failing to gain consent before using data for telemarketing purposes; hacking and compromising of personal information; overly aggressive and unsolicited promotional calls; and improper monitoring of employees.
Affirmative action is clearly required in order not to breach GDPR. However, while many organisations seek legal advice, data controllers and technical expertise to assist their efforts, many still fall short.
If goods and services are offered by a company to EU citizens, then that company is subject to GDPR. The Information Commissioner’s Office (ICO) – which exists to uphold information rights in the public interest, promoting transparency by public bodies and protecting data privacy for individuals – explains how GDPR requirements relate to marketing activities. According to Recital 47, “…the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
So, what does this mean in practice? While GDPR states that direct marketing may be a ‘legitimate interest’, it does not state that this is always the case. It also doesn’t state whether certain instances of processing of personal data is lawful, as they are all circumstance-dependent.
Marketing should adopt, on a legal basis, the following approaches towards any data they deem of legitimate interest, including:
- carrying it out in compliance with e-privacy directives and other legal and industry standards
- demonstrating that processing passes necessity and balancing tests
- specifying the purposes for particular elements of processing to show that it is necessary and weigh the benefits in the balancing test.
Organisations and service providers can comply with data protection guidelines in a variety of ways.
Contact customers or update privacy notices and disclaimers to communicate the company’s stance regarding personal data collection. Be clear about why and what data is collected, what will happen with it, how long it’ll be stored and how it will be stored, and how customers can access it. ‘Opt-out’ scenarios are insufficient under GDPR – customers must have to ‘opt-in’ to show that they give explicit consent and understand the situation.
High-quality security measures are critical to data privacy. It is a company’s express responsibility to keep data secure; this could mean encrypting data, using secure email, assessing data management functionality, upgrading IT security software and more. Should a hacker manage to gain control of a company’s data, the breach is still the company’s responsibility.
Hacking techniques constantly evolve in line with new security technology. Companies should have a carefully devised, thorough contingency plan in the event that data becomes compromised. This should include: what steps will be taken to prevent and detect breaches, how the breach will be communicated to both consumers and regulatory parties within 72 hours, and how future breaches will be avoided.
Delete data that isn’t used and do not collect or retain other unnecessary data. Does data need to be archived or could it be deleted? Does all of this information about data subjects need collecting in the first place? What processing activities are defunct?
Mapping company data – i.e., where all data collection in the business originates – and documenting plans for it supports clarity and transparency. Where does it reside? Who can access it? What are the associated risks?
Want to understand how marketing efforts can be grounded in GDPR and Data Protection Act-compliant practices?
Enter the workplace with the skills and expertise to uphold excellent personal data protection practice, with the University of the Commonwealth Caribbean’s online BSc Marketing programme.
In addition, you’ll learn to design and implement integrative marketing strategies, underpinned by highly developed creative, communication and analytical skills. Our flexible programme is designed to shape you into a well-rounded marketer, ready to meet the demands of fast-paced, modern corporate environments. Your studies will cover microeconomics, project management and entrepreneurship, alongside marketing campaigns, digital marketing principles, accounting and more.