Through the years, the tech industry has developed disruptive products and services that have forever changed the way we do everyday things. It is often that we find ourselves reading (and writing!) about the most innovative technologies of the year and how we can use them to benefit our businesses. However, 2018 might be remembered mostly with two words that created shock and concern among not only users but industry leaders as well: “data breach”.
Digital users have gained more awareness about data protection and are willing to let companies know when the trust is broken. In Europe, the legislation has managed to be in tune with the current times and on Friday 25th May 2018 the General Data Protection Regulation (GDPR) was finally enforced. Panic round digital players had started months before, though.
The impact was not felt only in Europe but around the world. The digital media publishing industry (and most sectors) was faced to transform the initial fear into a sense of opportunity to build a more respectful relationship with customers. However, a combination of disinformation, misunderstanding and a quite open interpretation of the norm caused a division among those publishers who took the chance to embrace the respect of the data for their readers, while others opted to compile with the bare minimum or even radical approaches, such as block all traffic coming from Europe.
The following article was created to provide some clarity among GDPR, explain some relevant concepts and give the resources so that publishers can not only compile with the legislation but understand the changes that are taking place regarding the information we gather of our users and how we can better create a trustworthy relationship with them.
Let’s get started with the basics.
What is GDPR?
Considered the most important change regarding data privacy in the last two decades, the General Data Protection Regulation (GDPR) is a regulation enforced by the European Union that gives their citizens greater control over the collection and use of their personal data.
One of its most important impacts is that it has redefined what accounts as personal data and that sensitive information does not belong to a business, but the individuals. There is also a focus put on how business takes care of such sensitive information and the responsibility they have to EU citizens.
The core of GDPR can be summarized on the following key points:
- Previous directives considered personal names, photos, contact information, social security numbers and bank accounts as personal data. GDPR broadens that definition to include IP addresses, biometric data, mobile device identifiers and geolocation, economic status, as well as one’s whole identity in the broadest sense (psychological, genetic, social, and cultural);
- Both data controllers and data processors are responsible for the information they have;
- Demands transparency in how companies collect and share personal data of users, with an emphasis on the clarity on which the data collection policies need to be informed to users;
- Gives users the rightful control over their data, so that they can access all their records, demand deletion of them, or request their data to be transferred to another company;
- Requires mandatory consent of users
What are the rights that GDPR protects?
The focus of this regulation is round citizens, so the rights that it aims to protect are related to individuals, rather than businesses.
The Information Commissioner’s Office of United Kingdom provides a great guide to understand what each right is about and what actions can organizations take to respect them. There are 8 rights that the GDPR refers to:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights concerning automated decision making and profiling
Why should publishers care about GDPR?
The reaction from media companies has been quite diverse. There are some good examples that experts recommend for inspiration, like the BBC’s privacy section, but there are many cases in which publishers seem lost in how to approach compliance with the normative, or even if they should pay attention at all.
It is important to understand that GDPR applies worldwide, this is not just a European issue. And, mostly, while many businesses have reluctantly decided to implement some changes in their privacy policy to avoid fines, it’s good to understand that the main interest of the authorities is to guide and help corporations take care of citizen’s data, rather than just compel them to face financial penalties.
The main reason behind getting in line with GDPR is to take the safety and the privacy of reader’s information seriously. To respect user’s data helps to establish a relationship of trust with them, which has only a positive impact into differentiate from competitors and add value to customers.
The principles of GDPR help brands take a commitment to be responsible and accountable for user’s data, puts their needs first and helps business meet user’s expectations and needs regarding privacy and transparency.
The data privacy challenges for publishers
All industries have been shocked to the bone with the enforcement of GDPR, but each one has its particular areas of interest and specific details that need to be taken care of.
While it can be overwhelming to figure out where to start, the path to respecting user’s privacy can be easier than most alarmist on the web anticipated. Publishers, in particular, can focus their efforts in some particular actions:
- Start by doing your homework
Read and understand the norm. Going over legislation might not be your favorite reading material, but there are lots of helpful resources that can help you get into what GDPR is all about. Intersoft Consulting’s GDPR portal provides a more accessible experience for going through the different parts of the normative and in pointing out issues. Also, the Information Commissioner’s Office of United Kingdom has a fantastic guide to GDPR, where all definitions and principles are clearly stated.
- Check where you are
Another valuable tool provided by ICO is the Data protection self assessment, which is a great ally for small to medium sized organizations, who can go through different checklists and find out their compliance with data protection law. The tool provides guides, recommendations and specific actions that can be extremely helpful.
In this stage, it is also quite helpful to start documenting all the data collection channels and steps that your company has. This is not only regarding your website, but it can also include information collected in events, from partners or even sales. You can also start categorizing your contacts in the EU that might have already provided some form of consent.
- Get into the correct mindset
There isn’t an easy way out to avoid changes or quick fixes to cross this issue of your list. It is important to get involved and take consideration of the importance of your reader’s private information. Also, it is vital to make sure that the approach you take is customized to your business: avoid basing your policy on other portals.
- Blocking EU users is not the correct solution
A few publishers have failed into panic and considered blocking visitors from the European Union altogether. This will online represent a major loss in traffic and revenue. For example, almost 20% of New York Times Digital and 22 million of Washington Post readers come from outside of the US. Above all, remember that to compile with data regulation is not a benefit for EU users alone, but a fair relationship with all your readers, regardless of where they are from.
- Pay attention to content personalization
To tailor the information and the experience provided based on the reader’s interests and needs has been a pillar into digital strategy. So, how can we find a balance between users’ right to data privacy and their expectations for personalized interactions and content? Transparency can not be negotiated, so a better approach could be to try to educate users about the ways their data is being used and how they can benefit from it.
- Get your team up to the challenge
Start by appointing a GDPR lead and a team accountable for the control of the implementation of your privacy policy. And clearly explain that this is a team effort: while your legal team might ace understanding vital errors to avoid, it’s important to remember that clarity is one of the pillars to the norm. Your policy needs to be explained easily to your readers. Get marketing involved, not only because their practices involve dealing heavily with user’s data, but because there needs to be a clear communication of what you do with it.
- Take advantage of the tools available
There are new solutions that can help publishers simplify the process of dealing with all the changes that need to be implemented. There is a wide offer of Consent Management Platforms (CMPs) that can assist publishers with the consent they need for collecting, processing and using personal data. Take the time you need to analyze the cons and pros of each one and chose the one that better suit your needs.
- Think of the long run
As we mentioned before, rather than reluctantly compiling with the minimum requirements of the regulation, it is best to get into the right mindset and embrace the importance of taking proper care of sensible user’s information.
In tune with that, a good practice is to think about a plan for your privacy policy long term and become used to notifying users accordingly. Think about how the best way to communicate and explain your policy is and key in mind that has to be straightforward, clear and to the point. This has to be a continuum effort, part of your companies practice. Include it into your planning.
- Hope for the best, prepare for the worst
Among all the task your team will take over, make sure to include in your estimation the design of a Data Breach Plan. GDPR requires organizations to report breaches no later than 72 hours after they become aware of them. With this in mind, it’s a good idea to take precautions and know what actions to take if something happens. There are a few things that you might want to consider while designing your plans, like how to notify internally to employees and major stakeholders besides how to explain clearly to your customers what happened, including how to file complaints and get assistance, and how it is important to be transparent in communications like press releases and social media responses.
Welcome to the age of Data Protection
Despite initial fear about the implementation of GDPR, publishers can see the current times as an opportunity to join more responsible and ethical management of the information users provide and take that mindset into establishing a more respectful relationship.
The digital ecosystem that we have today could not have been imagined 20 years ago. It makes sense that the legislation seeks to protect individuals so that they can participate in digital economies without their rights being violated. It has been long since the user has become the centre of what is developed and designed, and only great things have come to brands because of that.
Organizations can only thrive by stepping into the game and evolve along with changes that aim to put the customers first. Embrace the spirit of data protection and get ready to establish a new phase on your relationship with your readers –one based on trust and respect.