Legislators have just stuck their noses into an area previously reserved for nerds: data. People are worried for two reasons: first, because to mere mortals, legal jargon might as well be written in an alien language. The only thing we all understand, is that power of the law is coercive; in other words, it forces us to behave in a certain way under pain of sanction (big ones in the case of the GDPR!). The second reason for the general uproar, is that the precious data in question is the black gold of our times, it’s been the cornerstone of everything digital for years now.
With a Master’s in IT law and another in electronic business administration (and one foot in both worlds), my marketing colleagues naturally turned to me to clarify these notorious new regulations around data protection.
Having completed my law degree in France, I can attest to the persistent desire of European legislators to regulate digital practices. Think of the efforts around the anti-pirating law (HADOPI) in 2010. It’s no easy feat for them to follow the relentless pace of technological development, but they’re encouraged by European citizens themselves who, culturally speaking, seem to be more sensitive to the use of their personal data.
What’s striking this time is the reach of the legislation. Legislators have come to understand that the immaterial world of digital cares little about state borders (an American website is just a click away from a German user, for example). The GDPR therefore has a vocation to apply to everyone, everywhere, the second that the personal data of Europeans is collected, stored and used by a company.
The truth is that, behind the question of “simple” legal conformity (that your lawyer and every article on the topic are trying to explain in a way you can understand), this legislation marks the beginning of a new era. And I don’t say that lightly. There’s no going back on these fundamental questions of society and even ethics. The Cambridge Analytica scandal and Mark Zuckerberg’s testimony before congress played out in the public sphere: people’s eyes were opened. There has been a real public awakening on this sensitive subject. The proof: it was a topic of conversation at my last family dinner. When I quoted Andrew Lewis to my grandfather, “If you’re not paying for it, you’re not the customer; you’re the product being sold,” he responded that had he understood that his information was being “sold,” he would at least have wanted to be told! And that’s the heart of the problem.
Let’s be clear, the GDPR doesn’t exist to put an end to the collection, use and storing of users’ personal data. The legislation has a dual purpose:
1. Protection of users’ personal data (to prevent, for example, breaches such as the one experienced by Equifax in March 2017)
Personal data can be defined as any information (or grouping of information) that allows for the identification, directly or indirectly, of a physical person. The most obvious, for example, are: name, location data and identification number, but this also includes one or more factors specific to a person’s physical, psychological, genetic, mental, economic, cultural or social state.
2. Informing users
The requirements listed all converge on companies’ ability to demonstrate extreme transparency in how they collect, use and store information. Things that were previously done unbeknownst to users, particularly in the area of Ad Tech, now need to be explicitly and intelligibly exposed. And that’s where marketing is going to have to adapt.
Acquiring consent is the the heart of a new user experience. According to the law:
The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent.
Because yes, a user might well want to consent to the collection, use or storage of their information… If there’s something to be gained in return. After all, targeting is a practice that allows advertisers to serve content, services and messages that really are more relevant to the user. I am a woman in my thirties, living in Montreal, who loves art. I want to see ads on the Foire Papier in my neighbourhood, not ads about discounted menswear from a store in Sherbrooke. The promise of curation and relevance is, in my opinion, the key to new “seduction’’ strategies in order to obtain consent. The message will be changing from a shy “Please agree for legal purposes.” to a proud “You have every reason to opt-in!”
Another important point: the new law expects companies to be able to prove “legitimate use of any data that’s collected, used and stored.” Which means that the impact will vary depending on the company concerned, the nature of its activities and the reason for collecting, using and storing data. Once again, an Ad Tech company, whose very business model revolves around monetizing user data, has more reason for concern than a company that collects information about its customers (through explicit consent) simply to serve them better. It’s an ideal opportunity for companies to rethink their user experience and redouble their efforts and creativity to exploit their owned data in an optimal (and legal!) way. #DataOptInFTW
Step 1 – Gather the right people
Step 2 – Audit yourself!
This is an opportunity to take stock of the following issues:
Yes, the exercise will be tedious, but oh so useful! Once documented, it will then be easier for you to measure the real impacts of GDPR on your business and to take the right actions. Who knows, you may find that some data collected did not ultimately bring you so much business value…