GDPR Anniversary: Consent and Data Transfer Still Concern Marketers
GDPR has just passed its first anniversary; we thought it a good time to take stock and ask: what have marketers learned over the past 12 months, and what are the toughest issues they face in Data Transfer?
There is broad consensus on two things. The first is that we’re still grappling with consent, specifically, what is meaningful consent in every single use case and how best to efficiently obtain and document it. The second area of agreement is that we’re still concerned about data transfer, and the best way to protect the data subject’s rights when transferring data to a third party.
These issues speak to the two relationships marketers have in terms of GDPR. The first is between you and the individual from whom you collect data. Under GDPR, data collection comes with a lot of responsibilities.
First and foremost, you must request explicit consent from an individual to collect his or her data. And that’s just the start — you must also explain why you need it and how it will be used. Any data you collect must be essential to that purpose and you may only collect the absolute minimum data that you need.
Any individual who agrees to provide you with personal data enjoys a lot of rights (referred to as “data subject rights”) over how that data is used, with whom it can be shared, and for what purpose. These individuals also have the right to request that you cease using their data and to purge it from your systems. In the event they do ask, you not only must comply, but you must also inform the requester of your process for complying, the time frame for compliance, and how he or she can verify that you’ve honored the request.
This is a far cry from the days when consent was implied by virtue of an individual publicly posting information on social media. GDPR put a spotlight on the issue of implied consent. Social media platforms should now clearly outline exactly what is considered to be “public” information posted on their platforms, explain this to users in plain language and give users easy-to-use tools to protect the privacy of their information.
Your second relationship, under GDPR, is the one that you, as the entity who has collected personal data, have with the third parties with whom you entrust that data, particularly if such data will be leaving the confines of the European Union. This is what we mean when we talk about data transfer.
You can’t just turn over first-party data you collected (with consent) to a third-party vendor without prior due diligence on that company’s data protection and privacy policies (this is precisely the reason why lawyers should now insist on reviewing every vendor contract) and without comprehensive contractual provisions respecting the security and privacy of the data.
Your commitment to the individuals — to protect their privacy and data subjects rights — doesn’t end when you send their data to a third party. It’s your job to ensure your vendor will uphold the commitments you’ve made to the individuals from whom you’ve collected data.
Let me be clear: that responsibility falls squarely on your shoulders (again, this is why corporate lawyers and internal security teams are more involved in marketing than ever before).
Recommended: Why CMS Shouldn’t Be Your Go-To for Legal Content
Doing extensive due diligence and picking only trusted vendors are essential components of GDPR compliance.
How to Move Forward
This may seem daunting, but it’s digestible if you consider the bigger picture of GDPR, and then ask how it applies to your organization. What do I mean by that?
GDPR is largely based on Privacy by Design principles, which are easily applicable guidelines that require data collectors to consider the protection of the PII they collect and build protection of that data into everything they do. Everything you do hinges on upholding the commitments you have made to the individual who consented to give you personal information. Compliance with GDPR can be driven by how you apply these principles to your data policies and processes.
So how do you ensure that you are adhering to the principles?
Whenever you decide to collect data, stop and ask yourself these key questions: why do I want to collect this data; what’s the task or purpose for which it will be used? What data do I need in order to fulfill that purpose?
How will I effectively communicate to this individual how I intend to use this data?
To whom will I need to transfer this data? Will I use this data for other purposes, and if so, have I communicated that to the individual and obtained their consent?
How do I ensure the individual is aware of his or her right to demand an accounting of the data, along with the right to demand I delete it?
Have I ensured that any third party vendor will, not only on their part, commit itself to the protection of the data but will also commit to assisting my company in doing the same?
With respect to data transfer, you may also decide to consider other technical options that may avoid the need to transfer data outside of your own system. For example, the containerization model is one way to use the services of a third-party vendor and avoid the data transfer issue entirely. In this scenario, your vendor packages its technology into a container and sends it to you which you can later deploy in a private cloud instance, controlled entirely by you. So, rather than uploading your private data to a third-party vendor for processing, the vendor sends its tech to you to run within your firewall.
You’ll need to answer all of these questions before you can even ask an individual for his or her data. And if you can adequately answer them — and put policies and procedures in place to live by your answers and demonstrate how you adhere to them — then you can reasonably assume your practices are GDPR compliant.