The impact of GDPR on marketing technology and cybersecurity
How should you prepare for the European privacy regulation going into effect next year? Contributor Travis Wright explains the GDPR's provisions and outlines one approach to compliance.
Failure to be a good steward of consumer data by letting it fall into the wrong hands will soon result in severe penalties in the European Union. In the event of a data breach, companies will have to pay the equivalent of 20 million euros or 4 percent of annual revenues, whichever is larger. Ouch!
Beginning on May 25, 2018, the General Data Protection Regulation (GDPR) will place responsibility for honoring those rights in the hands of those who gather and process customer data. It applies to any company or organization that captures, shares or holds personally identifiable information of EU citizens in the course of business.
The GDPR is new legislation from the European Union that gives consumers more control over their personal information, including “the right to the protection of personal data” and “the right to be forgotten.”
The early days of advertising
In the early days of advertising, agencies and their clients didn’t have to worry much about “data.” What they thought of as data generally meant consumer demographics, response rates and return on investment: information that was valuable to them and maybe their competitors, but that was about it.
Fast-forward a few short decades, and now we live in an interconnected world where information constantly and invisibly flows all around us. Marketing technology allows us to direct and capture these streams of data to build brands and drive business development and sales.
However, the latest twist is that marketing technology companies find themselves in a position where they and their clients must protect this data. Hackers want it for nefarious purposes, and they’ve unfortunately become very good at attaining unprotected data through dubious means.
The impact of the GDPR on martech
The GDPR will have a massive impact on the martech landscape in Europe, and not everyone is going to survive. The whole thing is very Darwinian: those who adapt to the new environment will prosper, and those who don’t will go extinct. It’s as simple as that. It’s also similar to the Mafia; if you don’t comply, the EU will make you comply!
Furthermore, it’s fairly certain that martech clients will start to demand indemnification from vendors so they’re not liable if a data breach occurs. However, this is balanced by the fact that their brands will be affected negatively by breaches regardless of their legal liability, so it’s in everyone’s interest to work together to protect against breaches and to minimize liability under the GDPR.
Preparing for compliance with the GDPR
The GDPR goes into effect in May 2018, meaning there’s still time for marketers to properly protect their users’ data and gain a strategic advantage before the law takes effect by positioning themselves as responsible custodians of customer and employee data.
There are several steps organizations must take to achieve this:
- Designate a Data Protection Officer (DPO). This is a professional who specializes solely in protecting data that’s your organization’s responsibility under the GDPR. They are deeply familiar with the GDPR and its requirements. Their job is to ensure compliance with the GDPR and protect you from liability.
- Perform an internal assessment. Agencies should undertake an internal audit of their data collection, storage and protection procedures with the oversight of the DPO. The goal is to identify opportunities for improvement and/or potential areas of vulnerability that hackers can exploit. The DPO will then create “codes of conduct” for the protection of personal data and individuals’ rights. Then the DPO will implement policies to address these issues and ensure the integrity of your organization’s data.
- Talk to your corporate attorneys. Clients will demand contract revisions that place liability for GDPR violations upon agencies that collect data on their behalf. You need to have your legal team on standby for all contract reviews to ensure that these new terms are fair.
What is the solution to GDPR regulations to ensure compliance?
One solution that’s been widely discussed is Data-Centric Audit and Protection or “DCAP.” Rather than securing networks, hardware or software, DCAP focuses specifically on securing the data.