06 Dec The General Data Protection Regulation – A New Era of Digital Trust
The new General Data Protection Regulations (GDPR) will change the way organisations use data and will reshape how you and I, as ‘data subjects’, respond to database marketing.
The GDPR will level the playing field across Europe and it will lead to a more transparent and honest relationship between businesses and their publics.
So why the change?
Consider these statistics:
92% of consumers do not fully understand where and how marketers, brands and organisations use their personal information.*
27% of people still don’t feel comfortable sharing their personal data in any manner.
Only 8% of customers understand where and how organisations use their personal data.
57% don’t trust brands to use their data responsibly – the biggest concern being passing on data to others without permission, with 51% having received communications from organisations they feel have misused their data.
57% of customers will share information if they know it won’t be sold or shared further.
53% will share information if they can be guaranteed that data protection safeguards are in place.
The message is clear: consumers will feel protected and more confident about sharing their data if they understand who it is using it and trust the organisations receiving it.
It all comes down to trust
According to the Edelman Trust Barometer, trust in business and government is at an all-time low. So, this kind of regulation will help those who comply to build their reputation and deepen their customer relationships, ultimately building trust.
Anything that builds trust is music to a PR practitioner’s ears. However, we need to work with our clients to help them see past the headlines about GDPR fines and understand how non-compliance will be detrimental to their reputation and, ultimately, prevent them from doing business.
Yes, the fines are the big news – 4% of annual global turnover or €20 million, whichever is greater. But that is not the big issue; non-compliance is about damage to reputation. It’s about building trust with clients and employees and using personal data in more ways than we can today by implementing transparency and accountability.
Another key consideration is that in the UK, the Information Commissioner’s Office (ICO) can issue a stop order, forbidding an organisation from processing personal data on a temporary or permanent basis. That could bring a data-driven business to its knees.
Protecting the data subject
Fundamentally, the GDPR protects the rights and freedom of interests of data subjects – that’s you and me. We need to put the audience first – a natural consideration for PR professionals.
To be compliant, an organisation must:
· Understand what personal data is being processed;
· Understand the rights of the data subjects;
· Gain the correct and precise permissions;
· Put in place the right processes;
· Mitigate the risk of data breaches;
· Record those actions.
This is an ongoing process because the GDPR states that organisations can only hold on to personal data for as long as it is needed.
Creating greater digital trust
The GDPR will enshrine seven principles that will create greater digital trust.
- Lawfulness, fairness and transparency – information about the data usage and policies must be freely given and easy to access and understand. Everyone must get a data privacy notice; it must not be hidden away in general T&Cs. The information must be separate, written in ordinary language that is age appropriate and easily accessible;
- Purpose – the purpose of collecting and using data must be specified and accurate, and the data can only be used for that stated purpose;
- Principle of least access – only those who genuinely need to access the personal data will be able to do so;
- Accuracy – data must be kept up to date and accurate;
- Retention – once the reasons for having the data have been fulfilled, organisations have to dispose of it;
- Integrity and confidentiality – the data collector must do all that it can to protect the information from misuse, falling into unlawful hands etc.;
- Accountability – the data processor must show it is complying with the regulations. This means organisations need to live the details of the GDPR, another building block in establishing trust and a positive reputation.
Another important point concerns third-party data processors. If an organisation outsources its data processing or usage, both organisations are jointly liable. It is important to ensure that the third party is compliant and, remember, a data processor cannot act without express instructions.
Another important principle of the GDPR regards access requests. Data subjects will have greater powers to find out how their data is being used or stored.
The NHS, Tesco, Sports Direct, TalkTalk and Uber (to name but a few) have all fallen victim to high profile cyber breaches; under the GDPR, they would have had 72 hours to report their breach.
Being ready to communicate during a crisis has never been more critical.
By next May, businesses and other organisations will need to demonstrate their data compliance. As always, actions speak louder than words and respect for personal data will be crucial to build and retain an excellent corporate reputation.
If you would like advice about the GDPR, Black Vanilla works closely with a number of IT service providers; please get in touch, and we will be happy to make an introduction.
We look forward to hearing from you.
*Whose data is it anyway? 2016, CIM survey