The Era of Data Privacy: Keys for Understanding GDPR

Through the years, the tech industry has developed disruptive products and services that have forever changed the way we do everyday things. It is often that we find ourselves reading (and writing!) about the most innovative technologies of the year and how we can use them to benefit our businesses. However, 2018 might be remembered mostly with two words that created shock and concern among not only users, but industry leaders as well: “data breach”.

Digital users have gained more awareness about data protection and are willing to let companies know when the trust is broken. In Europe, the legislation has managed to be in tune with the current times and on Friday 25th May 2018 the General Data Protection Regulation (GDPR) was finally enforced. Panic round digital players had started months before, though.

The impact was not felt only in Europe, but round the world. The digital media publishing  industry (and most sectors) was faced to transform the initial fear into a sense of opportunity to build a more respectful relationship with customers. However, a combination of disinformation, misunderstanding and a quite open interpretation of the norm caused a division among those publishers who took the chance to embrace the respect of the data for their readers, while others opted to compile with the bare minimum or even radical approaches, such as block all traffic coming from Europe.

The following article was created to provide some clarity among GDPR, explain some relevant concepts and give the resources so that publishers can not only compile with the legislation, but really understand the changes that are taking place regarding the information we gather of our users and how we can better create a trustworthy relationship with them.

Let’s get started with the basics.

What is GDPR?

https://www.youtube.com/watch?v=j6wwBqfSk-o

Considered the most important change regarding data privacy in the last two decades, the General Data Protection Regulation (GDPR) is, basically, a regulation enforced by the European Union that gives their citizens greater control over the collection and use of their personal data.

One of its most important impacts is that it has redefined what accounts as personal data and that sensible information does not belong to business, but to the individuals. There is also a focus put on how business take care of such sensible information and the responsibility they have to EU citizens.

The core of GDPR can be summarized on the following key points:

• Previous directives considered personal names, photos, contact information, social security numbers and bank accounts as personal data. GDPR broadens that definition to include IP addresses, biometric data, mobile device identifiers and geolocation, economic status, as well as one’s whole identity in the broadest sense (psychological, genetic, social, and cultural);
• Both data controllers and data processors are responsible for the information they have;
• Demands transparency in how companies collect and share personal data of users, with an emphasis on the clarity on which the data collection policies need to be informed to users;
• Gives users the rightful control over their personal data, so that they can access all their records, demand a deletion of them, or request their data to be transferred to another company;
• Requires mandatory consent of users

What are the rights that GDPR protects?

The focus of this regulation is round citizens, so the rights that it aims to protect are related to individuals, rather than businesses.

The Information Commissioner’s Office of United Kingdom provides a great guide to understand what each right is about and what actions can organizations take to respect them. There are 8 rights that the GDPR refers to:

1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling

Why should publishers care about GDPR?

The reaction from media companies has been quite diverse. There are some good examples that experts recommend for inspiration, like the BBC’s privacy section, but there are many cases in which publishers seem lost in how to approach compliance with the normative, or even, if they should pay attention at all.

It is important to understand that GDPR applies worldwide, this is not just an European issue. And, mostly, while many businesses have reluctantly decided to implement some changes in their privacy policy in order to avoid fines, it’s good to understand that the main interest of the authorities is to guide and help corporations take care of citizen’s data, rather than just compel them to face financial penalties.

The main reason behind getting in line with GDPR is to take the safety and the privacy of reader’s information seriously. To respect user’s data helps to establish a relationship of trust with them, which has only positive impact into differentiate from competitors and add value to customers.

The principles of GDPR help brands take a commitment to be responsible and accountable for user’s data, puts their needs first and helps business meet user’s expectations and needs regarding privacy and transparency.

The data privacy challenges for publishers

All industries have been shocked to the bone with the enforcement of GDPR, but each one has its particular areas of interest and specific details that need to be taken care of.
While it can be overwhelming to figure out where to start, the path to respecting user’s privacy can be easier than most alarmist on the web anticipated. Publishers, in particular, can focus their efforts in some particular actions:

• Start by doing your homework
  Read and understand the norm. Going over legislation might not be your favorite reading material, but there are lots of helpful resources that can help you get into what GDPR is all about. Intersoft Consulting’s GDPR portal provides a more accessible experience for going through the different parts of the normative and in pointing out issues. Also, the Information Commissioner’s Office of United Kingdom has a fantastic guide to GDPR, where all definitions and principles are clearly stated.
  
• Check where you are
  Other valuable tool provided by ICO is the Data protection self assessment, which is a great ally for small to medium sized organizations, who can go through different checklists and find out their compliance with data protection law. The tool provides guides, recommendations and specific actions that can be extremely helpful.
  
  In this stage it is also quite helpful to start documenting all the data collection channels and steps that your company has. This is not only regarding your website, but it can also include information collected in events, from partners or even sales. You can also start categorizing your contacts in EU that might have already provided some form of consent.
  
• Get into the correct mindset
  There isn’t an easy way out to avoid changes or quick fixes to cross this issue of your list. It is important to get involved and take consideration of the importance of your reader’s private information. Also, it is vital to make sure that the approach you take is customized to your business: avoid basing your policy on other portals.

• Blocking EU users is not the correct solution
  A few publishers have failed into panic and considered blocking visitors from European Union altogether. This will online represent a major loss in traffic and revenue. For example, almost 20% of New York Times Digital and 22 million of Washington Post readers come from outside of the US. Above all, remember that to compile with data regulation is not a benefit for EU users alone, but a fair relationship with all your readers, regardless where they are from.

• Pay attention to content personalization
  To tailor the information and the experience provided based on reader’s interests and needs has been a pillar into digital strategy. So, how can we find a balance between users’ right to data privacy and their expectations for personalized interactions and content? Transparency can not be negotiated, so a better approach could be to try to educate users about the ways their data is being used and how they can benefit from it.

• Get your team up to the challenge
  Start by appointing a GDPR lead and a team accountable for the control of the implementation of your privacy policy. And clearly explain that this is a team effort: while your legal team might ace understanding vital errors to avoid, it’s important to remember that clarity is one of the pillars to the norm. You policy needs to be explained easily to your readers. Get marketing involved, not only because their practices involve dealing heavily with user’s data, but because there need to be a clear communication of what you do with it.

• Take advantage of the tools available
  There are new solutions that can help publishers simplify the process of dealing with all the changes that need to be implemented. There is a wide offer of Consent Management Platforms (CMPs) that can assist publishers with the consent they need for collecting, processing and using personal data. Take the time you need to analyze the cons and pros of each one and chose the one that better suit your needs.

• Think of the long run
  As we mentioned before, rather than reluctantly compiling with the minimum requirements of a regulation, it is best to get into the right mindset and embrace the important of taking proper care of sensible user’s information.
  
  In tune with that, a good practice is to think about a plan for your privacy policy long term, and become used to notifying users accordingly. Think about how the best way to communicate and explain your policy is and key in mind that is has to be straightforward, clear and to the point. This has to be a continuum effort, part of your companies practice. Include it into your planning.

• Hope for the best, prepare for the worst
  Among all the task your team will take over, make sure to include in your estimation the design of a Data Breach Plan. GDPR requires organizations to report breaches no later than 72 hours after the they become aware of the them. With this in mind, it’s a good idea to take precautions and know what actions to take if something happens. There are a few things that you might want to consider while designing your plan, like how to notify internally to employees and major stakeholders besides how to explain clearly to your customers what happened, including how to file complaints and get assistance, and how it is important to be transparent in communications like press releases and social media responses.

Welcome to the age of Data Protection

Despite initial fear about the implementation of GDPR, publishers can see the current times as an opportunity to join a more responsible and ethical manage of the information users provide and take that mindset into establishing a more respectful relationship.

The digital ecosystem that we have today could not have been imagined 20 years ago. It makes sense that the legislation seeks to protect individuals so that they can participate in digital economies without their rights being violated. It has been long since the user has become the center of what is developed and designed, and only great things have come to brands because of that.

Organizations can only thrive by stepping into the game and evolve along changes that aim to put the customers first. Embrace the spirit of data protection and get ready to establish a new phase on your relationship with your readers –one based on trust and respect.