Editor’s note: Terry Vavra and Doug Pruden are partners at research firm Customer Experience Partners. Vavra is based in Allenale, N.J. Pruden is based in Darien, Conn. This is an edited version of a post that originally appeared under the title, “Your customers own your database – effective immediately!”
May 25, 2018, was a historic day for customer databasing. It marks the implementation of the European Union’s new policy on digital privacy protection, the General Data Protection Regulation (GDPR). Crafted over the last two years it covers how data collected on individuals within the European Union and the European Economic Area is stored and treated. It’s a monumental step for government’s involvement in data processing – an initiative the United States can’t quite seem to rally behind.
The impact of this new initiative is being felt worldwide. You don't have to be in the EU or even do business with EU-based companies to be affected!
Background on the GDPR
Replacing the EU’s previous Data Protection Directive, the GDPR’s aim is to give control of collected data to the individuals described in the data. Its additional goal is to simplify the regulatory environment by adopting a single regulation across all of the countries comprising the EU.
The primary focus of the regulation is that all businesses handling personal data must utilize systems built with data protection “by design and default.” This means that any attempt to store personal data must be stored using pseudonymization or full anonymization and use the highest possible privacy settings by default so that the data is not available publicly and cannot be used to identify a subject without additional information (which should be stored separately).
Specifically, the GDPR stipulates:
- Consent – Processors of personal data must clearly and simply disclose their activities to collect personal data preventing confusing customers into giving their consent. It also must be easy for customers to withdraw consent.
- Breach notification – Data breaches and the consequent risks must be reported to customers within 72 hours.
- Right to access – Customers have the right to know if their personal data is being processed and how. They also have a right to receive an electronic copy for free.
- Right to be forgotten – Customers have the right to request their data be erased.
- Data protection officer – Businesses whose core activities include processing/use of personal data are required to employ a data protection officer.
- Privacy by design – The philosophy of data protection must be present throughout the design and use of software, Web sites, operating systems, etc.
- Full disclosure – A processor of personal data must clearly disclose any data collection and declare the lawful basis and purpose for data processing, how long the data will be retained and if it will be shared with any third parties or parties outside the EU.
Notifying customers
As a result of the adoption of the GDPR – and its global influence – we’re all receiving daily e-mails announcing the updating of vendors' privacy policies. We received the following which is an exceptionally clear presentation:
Contrast with U.S. perspectives
For those of us who oversee customer databases using current U.S. standards, if we wish to be compliant with the GDPR, we'll need to:
- Stop thinking about personally identifiable information and expand our concept to personal data. Personal data applies to anything that can be used to identify a person including things that wouldn’t have been included under the concept of personally identifiable information. These include: e-mail addresses, IP addresses (associated with mobile devices), etc.
- Flip our concept of ownership of the data we collect. According to the GDPR, we don’t own consumer data! The individual customers described in each record own the record(s) describing themselves! The GDPR explicitly proclaims, “Natural persons should have control over their own personal data.” This gives control of the data to our customers.
- Understand the revocable license our customers enjoy. Each of our customers must be seen as giving us permission to use their personal data. This ownership establishes several key considerations: customers may ask to see their data at any time. Customers may correct mistakes in our records. Customers may tell us to stop using the data. And, they may ask us to erase it at any time, revoking our license.
- Recognize that data retention should not be eternal. We’ve often been critical of organizations’ apparent disregard for the value of customer information when they wipe it from their computers to save space or to make operations more efficient. The GDPR mandates that personal data has a shelf life and shouldn’t be retained forever. In short, data should be kept only as long as is necessary.
U.S. consumer privacy law has been based on a notice and consent principle, enforced by the principles of fairness and non-deception reflected in the Federal Trade Commission Act and state consumer protection laws. GDPR reflects more extensive consumer rights and freedoms, bundles of interests our customers own when they purchase our goods or services. These rights may not be so easily negotiated away. In general, thinking of ourselves as stewards or guardians of our customers’ data will go a long way in helping us meet their privacy expectations and also to comply with the basic precepts of the GDPR.