When I recently attended Episerver Ascend 2018 in Las Vegas, I overheard more than a few conversations about the GDPR, even some just learning what it was thanks to an informative session by Episerver’s CIO and CISO Sue Bergamo. In an article she recently published on Money Inc., she notes and alleviates through explanation how the regulation has only one clear cut certainty, that isn’t clear-cut or certain in a prescriptive nature what-so-ever.
We’ve extensively inquired with various platform vendors on how they have accommodated GDPR compliance requirements into their product strategy and asked the role they have taken in educating and assisting their customers but what about digital agencies? Are they the tweener in this situation? They’re not a platform where digital business transactions occur or house any of the personal data that is at the heart of this new regulation, they’re not a brand collecting and using personal data on members of the EU (however as service providers they do fall more under this category if any) but regardless, they do, and would carry responsibility in the event a client of their's were found to be non-compliant.
Why the GDPR is Overdue
Many are thinking, or perhaps hoping, there will be a grace period following May 25, 2018 for organizations to get up to speed with compliance to the GDPR but unfortunately, the GDPR has been in effect since 2016, with the date above marking the end of any leniency, not the beginning.
But why now? The GDPR, believe it or not, is massively overdue in my opinion. It is an update to the previously used Data Protection Directive that was implemented in 1998. Yes, that was 20 years ago. If you like me had your mind flooded with all the ways our digital world has evolved in that time just know, it is no less shocking the more I attempt to run that list in my head considering how much we now know about how data can be used, and misused.
I was first introduced to the underlying premise and necessity of the GDPR when I attended a presentation by GDPR expert Tim Walters, Principal Strategist and Privacy Lead at The Content Advisory, Founding Partner of Digital Clarity Group and Contributing Analyst for the Content Marketing Institute. In his presentation entitled GDPR: a Business Design Approach he simplified the premise of the GDPR by stating: “’People should have control over their own data.’ [These eight words (paraphrased from Recital 7), neatly summarize the goal of the GDPR. And] the rest of the text, the remaining 250 odd pages are basically laying out what has to happen in order to turn that ‘should’ into a ‘will’. People will have, you will behave in such a way that people do have control over their own personal data.”
He went on to explain the very reason I believe digital agencies, with all of their agile and creative prowess should embrace the GDPR as an asset rather than a hindrance (as I sense many do). He highlighted the fact that the regulators want to “fuel a new creative wave within the EU and for any companies that are involved in the EU. They want you to figure out new, clever, inventive ways of doing business within the confines of the regulation”, suggesting people, in every level of business, should think more about how they can adapt to this new landscape and what it can do for their business, vs what it can do to it:
“The GDPR -- that is, the text of that document, some 261 pages in English -- is like a gift from the future. It tells you quite precisely -- not with 100% accuracy, but quite precisely -- what the business environment is going to look like, how it is going to change after May 25th, 2018. And so, it gives you very good guidance on how you need to adapt to fit into that new environment, in order to survive in that environment and hopefully not only to survive but to thrive in that environment.”
Where Digital Agencies Should Start
Just as platform vendors have accommodated compliance capabilities into their product strategy, there is a huge opportunity for digital agencies to step in and assist organizations in not only their compliancy but also, how they can go on the offensive to make it an opportunity for businesses. To start, it would be pragmatic to hire or designate a Chief Data Officer, someone who can be the touchstone for not only compliance but how to glean more actionable insight from the vast amount of data collected by organizations to heighten the ROI it offers. The data trend is only ascending and it is even noted that the GDPR is just the first of its kind as the business world, from a global to municipal scale, is enacting a mindfulness surrounding the use of and ethics surrounding personal data.
Another great place to start, is for agencies to have an understanding of the rights of the individual, as per the text of the GDPR:
Access: every person would have the right to request access to their personal data, to see how it is being used and the organization would be able to provide that person with a copy of their own data, free of charge.
Data Portability: a person can transfer their data between service providers in an easy, machine-readable format.
Be Informed: someone must be informed before their data is collected, have the opportunity to opt in and consent must be freely and knowingly given, not inferred or implied.
Correct Information: a person would be able to ensure their information is complete, correct and up to date.
Restrict Processing: consent and processing aren’t one in the same, an individual could request their data be in place but not be used or otherwise processed.
Object: further to the last point, someone can request a stop to the processing of their data for direct marketing. With zero exemptions, any processing must stop as request is received and the stoppage made clear to the requesting individual from the conception of communication.
Be forgotten: if a consumer makes the decision to cease their business with a given organization, or simply withdraws consent from a company to use their data, the organization would be able to swiftly delete that person’s data.
Be Notified: lastly, if a data breach occurs, an individual has the right to know within 72 hours of its occurrence.
Finally, ensure the understanding and awareness is communicated throughout the team at all times. Any and every organization should have a united front when it comes to data compliance and how data is used. Even though it is called the General Data Protection Regulation, does not mean it is solely the responsibility of the ‘folks that are good with data’. Marketing is just one department that could strategize with their clients on how to mine engagement gold from learning how to leverage a transparency with their customer base, as Simon Carroll points out: “When someone grants permission they are acting consciously, becoming an active participant rather than a passive source of data to be pillaged. Permission equals engagement. And engagement is the ultimate goal here, isn’t it?”
When I think of digital agencies, I think of creativity, a pushing of boundaries in what is possible with bringing ideas to life and an ally to their customers in navigating the somewhat daunting word of digital business. For all of these reasons, I believe the agencies that can be the first to not only say to their customers ‘we know about the GDPR and are willing to help you be compliant’ but also say ‘we are going to show you how you can thrive in this new environment’ will be the ones to place themselves over and above their competitors in the market.
Thanks to Facebook making headlines recently surrounding the use of personal data, and more and more data breaches hitting the mainstream media outlets in the past year, we are definitely in a time where the use of data is becoming a common conversation and I believe it should be. As the GDPR states, personal data is to be looked at as a possession, to be borrowed and used in a respectful way, for the purposes it is designated for and given back. For this reason, people should view their own personal data in the same way, and the best thing they can do is educate and empower themselves on how their data is being used. The part it plays in their digital experience, how they interact with online brands, make online purchases and the interplay it has with brands when they execute an effective online-offline strategy.
Thankfully many platform vendors, thought leaders, media outlets and some agencies have been sharing content on the GDPR so the resources are out there, with I am sure more to come as we reach and surpass the date of May 25, 2018.