It’s all haywire when looking at data protection in Europe and I am wondering about the impact it will have on the Asian business world. After 15 years, the Safe Harbor agreement got dumped in October 2015, which allowed companies to transfer personal data from the EU to the USA and process them there. There is no binding succession regulation for the time being, but the USA and the EU have agreed on a so-called “Privacy Shield Agreement”, which particularly obligates marketing managers to protect customer data.
Although nobody like rules and regulations, look at the bright side and the benefits the failure of Safe Harbor and the coming into force of the so-called “General Data Protection Regulation (GDPR) brings. It’s a good opportunity to make a binding commitment to data protection that brings along customer confidence and strengthened brand image.
To no surprise, US companies are already taking the lead again by investing in new security standards, new data centers in Europe, and offering their products with EU standard contracts: AppNexus, for instance, just announced that it will introduce major policy changes governing access to and the use of data through its technology stack. In its drive toward compliance with the European Union’s GDPR, the company commits investments in its European data center infrastructure and works with partners to build tools that meet GDPR’s enhanced transparency, access and choice requirements, in addition to the current ePrivacy Directive’s consent requirement and the proposed ePrivacy Regulation.
“GDPR is a coming reality, and companies that don’t prepare for it will find themselves locked out of European markets,” said Brian O’Kelley, CEO of AppNexus. “GDPR will change the way that internet companies do business in Europe,” he continued. “Advertising is the power source of the open internet. It’s incumbent upon all digital publishers and advertisers to work with technology companies that take privacy seriously.”
Because AppNexus’ enterprise products and marketplace sit on top of a unified technology platform, the company believes that it is uniquely able to control and guard the flow and use of data on its technology stack.
Anyway, the new GDPR is clearly placing the onus for compliance on companies, which means Asian companies with a presence in Europe have to be cautious: GDPR applies to businesses established outside of the EU when those businesses offer goods or services to data subjects located in the EU or when they monitor the behavior of data subjects in the EU. Hence, a proper data privacy management must be in place, as well as well-trained personnel that can manage to implement regular follow-up assessment of compliance, since vigilance and focus on data processing activities are constantly needed.
Ultimately, when investing in data protection, we are talking about investing in our own competitiveness, customer loyalty and reputation. Acting too late can be critical, as there is the risk to pay a financial penalty of 4% of the global annual turnover if in violation with the new GDPR - a drastic tightening compared to the previous regulation.
In the future, customers and data protectors will generally get more attention, which is why the new regulations need to be treated with particular care and the analysis of all processes that affect personal data requires fundamental rethinking.
The following few steps are important for marketing managers:
- The first step is to analyze the data transmission paths and processes to quickly identify where action and support are needed: Companies that work with personal data are obliged to ensure that there is no unauthorized access to their data or technical facilities, meaning they must make both technical and organizational arrangements for their services. An approved encryption method is important to protect all personal data from external attacks and policies for advertising and rules for explicit consent to the processing and storage of personal data after changes in the conditions of use must be put to the test here.
- Communication takes place in the second step: Employees and partners are sensitized for data security and even small businesses should appoint a data protection officer. This person should work closely with the marketing community and make a strong commitment to comply with regulations and guidelines. The priority is to interest employees for the topic of data protection and to provide them with know-how and training, since they are the ones who ultimately have to work with new data transmission technologies, security systems and procedures.
- In the third step, suppliers and service providers should get involved. CMOs should confront their data hosts with legal requirements that they must adhere to. If this is not the case, it is important to look for a provider who is hosting customer data on EU soil and does not leave a backdoor open for US authorities. Anyway, marketing managers, who are looking for a secure CRM provider, should be upfront with in negotiations and have preliminary checks to find out which providers are working with data protection.
- Certifications are a fourth step towards a data-compliant company, which means that the company complies with certain security requirements. The certification according to ISO 27001 is often the basis as it proves that the management systems used meet international security requirements. But there are many more certificates available and there is even a European seal of quality called ‘European Privacy Seal’ (EuroPriSe). I’d suggest asking concrete questions regarding certifications, as it will immediately sort out certain contract partners.
My appeal to all companies and marketers who work with sensitive customer data respectively: Rethink privacy - it is not your enemy but your friend – as data protection is brand protection! Investing in secure data pays off because customers and partners appreciate the efforts.
You have still more than a year left to become compliant, since the application date is 25 May 2018, but it’s not very long considering two things. The first is that compliance with data protection laws requires a precise understanding of data processing activities, including knowledge of the cross-border outsourcing of data processing that can take place. Not to mention that some provisions of the GDPR require a further interpretation to be applied in specific sectors.
So, keep things moving!
By Daniela La Marca