GDPR enforcement may be driven by fears of liability

As GDPR Day (May 25, 2018) approaches, the experience of at least one complying marketing firm illuminates two major but hidden factors — one that could drive compliance and one that could hinder it.

The hidden factor that could drive compliance with the General Data Protection Regulation (GDPR): liability.

Yes Lifecycle Marketing is a Portland, Oregon-based cross-channel marketing services firm, helping client companies with website customer preference centers (where email newsletters might be selected), email, SMS, push notifications and Facebook.

SVP Marc Shull told me that his company has been working toward compliance by initiating new processes, consulting with outside experts, reviewing “every single screen” it offers, instituting new data governance policies, coding new capabilities to readily accommodate requests to change or delete personal data and other efforts.

In other words, Shull said, Yes Lifecycle is making a good faith effort to comply. About 10 to 15 percent of the company’s business comes from the European Union, he said, plus his company interprets the regulation as applying to any EU citizen wherever they are, or to any resident of the EU, whether an EU citizen or not. That pretty much covers all markets.

Yes has about 200 client companies, some of which are in the Fortune 500. But each of those companies also has dozens if not hundreds of other service providers.

‘Definitely look at dropping them’

If the client company gets sued or otherwise disciplined by a GDPR governing body, it’s entirely possible that the governing body could similarly go after each of the providers. Or the client company might turn around and sue a provider for not maintaining a high level of transparency and protection of consumer data.

It’s because of this liability, Shull said, that his company is currently deciding how to handle clients’ level of GDPR compliance, as well as their related compliance with the associated and upcoming ePrivacy Regulation.

If a client company is absolutely not complying, he said, Yes will “definitely look at dropping them.”

He compared that possible situation to the anti-money laundering practices that all the service providers of banks need to maintain. If the bank is sued or indicted for money laundering, the investigation will also involve the providers.

Yes intends to tell its clients, Shull said: “Here’s what we’re doing. What are you doing?”

The issue, then, is what to do about client companies that are unclear about how well they are complying. That, Shull said, is a matter Yes Lifecycle is still considering.

And then there’s at least one major factor that could hinder compliance. Exactly what is included in consumer data?

Yes’s understanding — based on advice from outside consultants — is that it includes only data supplied by a consumer, such as name, address, email and phone number written into a form. It does not include, Shull said, additional layers of data — like age, birthdate or gender — that Yes might acquire separately and append to the provided data. And, he contended, it does not include behavioral data that Yes or a client company may track, such as which webpages a consumer visited.

But Article 4 of the GDPR defines “personal data” as:

…’personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person…

And “profiling” is defined as:

…’profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements…

Those certainly sound as if GDPR covers behavioral or appended data. But, as Shull notes, the GDPR language and the pending language of the accompanying ePrivacy Regulation is clear in some places and less than clear in others.

The actual scope of what data is covered — and the nature of relationships with providers and clients — may restrict or propel GDPR’s effectiveness, but their actual dimensions may not be resolved until the regulations are in effect.