Have you noticed all the emails you’ve received recently with information about organizations updating their privacy policies? When you visit websites are you seeing the bar on the bottom informing you about cookies and data collection policies? If so, you can thank the GDPR (General Data Protection Regulation) policies now in place in Europe. While the United States hasn’t adopted the legislation yet, that hasn’t stopped organizations based in the US from paying attention to what’s going on. That’s why the Kansas City Direct Marketing Association recently held a lunch with David Cacioppo of emfluence and Neil Watkins of Asureti to walk through some of the basics of GDPR. Below are some of the things you might want to at least be aware of as GDPR gains traction.
Require Opt-In Now
GDPR dictates that a company must obtain consent from a consumer to process and share their information. When it went into place in Europe, that meant consent had to be given for data that had already been collected. That means you might as well start making sure you have consent now, even though a GDPR-like law isn’t in place, so you don’t have to go backwards and re-ask for consent when a GDPR-like regulation does come into play in the US. This means for emails, cookies on websites, etc. (Although, technically, the regulations are in place in the US for organizations collective the information of European citizens.) Plus, in general, asking people whether they want to share information with you is a good idea. A plug again to not buy data lists. Otherwise, you may be wasting resources marketing to people who simply don’t care about you or your product.
You better make sure consumers know exactly what you’re going to do with their data. Hence, the nudge to update privacy policies. Cacioppo and Watkins outlined some questions to consider when writing them:
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
Collect Only Data You Will Actually Use
Cacioppo and Watkins stressed this point during their presentation. The more personally identifiable information (PII) you collect, the more you know about the consumer, and the harder it is to store, organize, and cleanse when necessary. The new GDPR requirements allow consumers to correct, remove, or request all the PII a company holds. The more PII being held, the harder it is to address those rights. “Encryption, pseudonymization, and anonymization are a good start at tackling the security requirements,” said Cacioppo & Watkins.
Define Everywhere Your Data is Stored
What happens if a consumer asks to have their data removed from your organization’s files? You need to know where it all is. That means in each of your digital platforms, on your servers, in Excel files that have been shared: everywhere. While it isn’t something you necessarily need to do right now, if you have systems that aren’t integrated or a standard practice is to download spreadsheets then upload them somewhere else, you might want to start thinking about a data information structure that would allow you visibility to everything if you happen to need it. The upside is that starting to think about clean, aggregated data now will be important in the future whether or not GDPR goes into place in the US or not.
When it comes down to it, no one really knows how all of the requirements and regulations around data protection for consumers are going to shake out. What’s pretty clear, though, is that as organizations continue to gain access to more consumer data and as consumers give it up for enhanced value, the issue of data protection isn’t going away. It’s time you at least start thinking about what it could mean for your organization.
For more info on GDPR, visit www.gdpreu.org.