GDPR and the Age of the Customer

See how the GDPR will impact in the age of the customer

If you’ve been around the digital space, you’re probably hearing a lot about the GDPR. It’s become a buzzword, mostly amongst digital marketers and data companies. And lawyers.

If you’re feeling a bit confused, or lost, worry not! As we move on with our compliance journey, we’ve highlighted some of the key points brought by GDPR to marketers and tech companies doing business in Europe, or collecting data from European citizens.

Spirit of the law: Giving back to users the control of data

GDPR stands for the General Data Protection Regulation. It’s a codification of privacy and data protection regulations whose aim is to provide a more consistent guidance on privacy and respect to personal data of European Union citizens. In sum, it’ll replace the previous EU privacy directive, which dates from 1995, while also introducing some interesting changes to current privacy and data protection regimen. The GDPR applies to any company handling personal data of EU subjects, even if the company is headquartered outside of the EU. This means that the regulation has a territorial scope and companies need to comply with the new data regulation regardless of their actual location, so long as they process any kind data related to EU subjects.

People’s perception about privacy is changing, and will continue to change, perhaps as a result of our escalated online exposure, and marketers and companies collecting data should see the GDPR as a first step into this new direction. Even though the GDPR is Eurocentric, and although Europe has a very specific cultural context, especially on how people are educated about privacy issues, the European market is massive, and the impact of GDPR will soon resonate in other parts of the world. The influence of its legal regime will soon be felt in other markets as well, since Asia and the Pacific tend to take the lead from the EU.

From a digital marketer’s perspective, we can’t really predict who is an EU citizen or not, so despite not acting within the EU zone, we might still be processing EU citizen’s data, therefore we’re dwelling in a very tricky threshold. The best way to address this is to look at every person’s data we collect as if they were an EU citizen, and be protective and prepared to handle all our customers’ data with equal zeal. Are you wondering who are the main subjects affected by the GDPR? Here’s the cast: data subjects (people who use your digital touchpoints), data controllers (if you own an online company, then you control data), and data processors (if your company is using technology such as our Predictive Ad Audiences, for example, then we are processing your data).

“Can we do business without complying?”. Yes, if your company has zero connection to the EU market or data. If not, your company should not avoid the compliance. There are significant sanctions for not complying to the GDPR, and also hard consequences: after May 25, regulators will have the power to audit companies, so it’s not just about fines anymore. GDPR regulators can show up at your doorstep and request an audit, this way, not having a regular or physical presence in Europe doesn’t prevent your company from having a surprise audit. In addition to enforcement actions, fines and audits, for the first time in the European legal history, any regular citizen can bring claims against a company without needing further legal representatives.

I give my consent. Do I?

Under the GDPR, the customer has the full right to understand what’s going on with their data, what firms are doing with the information they collect, the purpose of data collection and how they collect consent. In one sentence: it stands for privacy and transparency. This also means that customers have the right to be forgotten, and have their data completely erased within a tight timeline of 40 to 60 days.

Responsibility and accountability are the core values in the GDPR’s approach to impact assessment and to minimize the amount of data collected. In short, if there’s no reason a company should collect certain data, then it simply should not do it. To give a very simple example, if your company is collecting social media interaction, such as Facebook “likes”, for no specific reason, it has to stop doing it once GDPR comes into effect.

Attached to the idea of consent is the notion of “privacy by design and default”. Under these terms, GDPR states that design and default should be side-by-side throughout the entire engineering process. This concept approaches privacy and data protection compliance from the very start of a product development, and not as a later projection or addition to a finished product. At Insider, as we continue creating deeper marketing technologies, we’re not losing sight of privacy and consent within the very core of our products design and in-house development. This is but one example of how stretched GDPR is in regards to consent and data privacy, this is called “value sensitive design”, that is, developing a new product (technology, tool, or the likes) should take into account human values in a clearly defined and sensitive manner.

Key takeaway (if you’re still confused about it)

We’re living in a data age. If you want to do business in the EU, GDPR sets the framework of what you can and cannot do. As Forrester’s reporter and analyst Lori Wizdo put so well, “marketers should see the GDPR as an opportunity to embrace the age of the customer, because that’s what the GDPR is about: consent and privacy”.

To see how we’re moving on with our compliance journey, check our GDPR page here.