How should you prepare for the European privacy regulation going into effect next year? Contributor Travis Wright explains the GDPR's provisions and outlines one approach to compliance.
Failure to be a good steward of consumer data by letting it fall into the wrong hands will soon result in severe penalties in the European Union. In the event of a data breach, companies will have to pay the equivalent of 20 million euros or 4 percent of annual revenues, whichever is larger. Ouch!
Beginning on May 25, 2018, the General Data Protection Regulation (GDPR) will place responsibility for honoring those rights in the hands of those who gather and process customer data. It applies to any company or organization that captures, shares or holds personally identifiable information of EU citizens in the course of business.
The GDPR is new legislation from the European Union that gives consumers more control over their personal information, including "the right to the protection of personal data" and "the right to be forgotten."
The early days of advertising
In the early days of advertising, agencies and their clients didn't have to worry much about "data." What they thought of as data generally meant consumer demographics, response rates and return on investment: information that was valuable to them and maybe their competitors, but that was about it.
Fast-forward a few short decades, and now we live in an interconnected world where information constantly and invisibly flows all around us. Marketing technology allows us to direct and capture these streams of data to build brands and drive business development and sales.
However, the latest twist is that marketing technology companies find themselves in a position where they and their clients must protect this data. Hackers want it for nefarious purposes, and they've unfortunately become very good at attaining unprotected data through dubious means.
The impact of the GDPR on martech
The GDPR will have a massive impact on the martech landscape in Europe, and not everyone is going to survive. The whole thing is very Darwinian: those who adapt to the new environment will prosper, and those who don't will go extinct. It's as simple as that. It's also similar to the Mafia; if you don't comply, the EU will make you comply!
Furthermore, it's fairly certain that martech clients will start to demand indemnification from vendors so they're not liable if a data breach occurs. However, this is balanced by the fact that their brands will be affected negatively by breaches regardless of their legal liability, so it's in everyone's interest to work together to protect against breaches and to minimize liability under the GDPR.
Preparing for compliance with the GDPR
The GDPR goes into effect in May 2018, meaning there's still time for marketers to properly protect their users' data and gain a strategic advantage before the law takes effect by positioning themselves as responsible custodians of customer and employee data.
There are several steps organizations must take to achieve this:
- Designate a Data Protection Officer (DPO). This is a professional who specializes solely in protecting data that's your organization's responsibility under the GDPR. They are deeply familiar with the GDPR and its requirements. Their job is to ensure compliance with the GDPR and protect you from liability.
- Perform an internal assessment. Agencies should undertake an internal audit of their data collection, storage and protection procedures with the oversight of the DPO. The goal is to identify opportunities for improvement and/or potential areas of vulnerability that hackers can exploit. The DPO will then create "codes of conduct" for the protection of personal data and individuals' rights. Then the DPO will implement policies to address these issues and ensure the integrity of your organization's data.
- Talk to your corporate attorneys. Clients will demand contract revisions that place liability for GDPR violations upon agencies that collect data on their behalf. You need to have your legal team on standby for all contract reviews to ensure that these new terms are fair.
What is the solution to GDPR regulations to ensure compliance?
One solution that's been widely discussed is Data-Centric Audit and Protection or "DCAP." Rather than securing networks, hardware or software, DCAP focuses specifically on securing the data.
The idea behind DCAP is that the best way to secure data is to make the data itself secure using encryption or pseudonymisation methods such as tokenization, regardless of where it is created, used or stored. Pseudonymisation is a method of de-identifying personal data advocated by the GDPR to protect individuals' rights during data processing.
Tokenization is a reversible method of pseudonymisation that substitutes personally identifiable information (PII) with random fake data that looks and feels the same to keep data's integral value fully or partially visible, enabling secure processing and analytics. When IT systems are built with this concept in mind, it also satisfies the GDPR's requirement that data security must occur within organizations "by design and by default."
Imagine each data point in an IT infrastructure as a child running at play from house to house throughout a neighborhood, with each home having varying degrees of security. Now, imagine that abductors are always lurking nearby and searching for an opportunity to break into one of the homes and grab one of them.
In its most effective incarnation, DCAP can identify all of these children and follow them around no matter where they go, ensuring that they're protected. This also involves keeping an eye on the controls in place at each house, the people coming into contact with the kids in each house, and issuing alerts of potential security breaches or unusual behavior that could signal a problem.
In a recent white paper (PDF) the data security firm Winterhawk Consulting Group explained how monetary penalties issued by European regulators could be the least of companies' worries when it comes to GDPR:
Irrespective of official fines, nobody can afford the subsequent fallout that severe breaches bring about. A large multinational could suffer costs and reparations in the hundreds of millions, not to mention a huge impact on share prices. A smaller company offering data processing services could suffer a processing ban and loss of credibility with their customers; companies dealing directly with consumers could lose their business outright. Even non-profit organisations are at risk of losing donors or member participation.
Hackers are becoming more sophisticated every day in their attempts to break in and abduct your data, and the GDPR will nail you if that happens. DCAP protects against both scenarios. Don't be a statistic - do what it takes to protect your organization and its data today.