I’m not going to go into calculating the penalties you might incur for misuse of personal data. That’s a job for the authorities. What seems more important to me, as a consultant, is to warn our clients about as many risks as possible when we’re starting a new project.
GDPR: preventing risks from start to finish
Take all necessary steps to protect all data provided voluntarily and legally collected in the context of our work (in essence, this means applying security measures, i.e. following best practice procedures considered to give sufficient protection to users’ identity and data). It’s primarily a question of best practice…but unfortunately there are many who do not really pay it much heed. They then run the risk of being hacked. As far as the type of good dev practice that should be followed by everyone is concerned, it should not affect the cost, apart from regular audits while it is being developed.
Aspects of technical and functional architecture connected with the GDPR can be annotated and costed, so that clients can differentiate between two competing costings.
Ensure that hosting infrastructures offer the necessary level of protection and have been understood and approved by client teams. In such cases, if your service-provider is not in charge of hosting and operations, all they can do is give you a list of requirements for the other partner to follow.
Questionnaires and guides are available, some of which have been published by Microsoft and European Data Protection Agencies like the CNIL, to help you decide what action needs to be taken and know where to set the bar.
What about data collection?
And what’s the situation vis a vis marketing campaigns that are intended to collect data?
Here too, precautions must be taken to make sure that what your consultant is suggesting falls within the scope of a process that the user is taking part in voluntarily. In this respect, the inquiry into how Cambridge Analytica used FB data during the Trump campaign will be extremely interesting. Could we be heading for digital manipulation crime? Are we going to wake up one morning and find that the American justice system has made decisions that are far stronger than the GDPR framework?
For who knows whether Cambridge Analytica did anything significantly different from what any multinational might do in campaigns intended to get people to buy its products? But the political stakes are so high that nothing is impossible when it comes to consequences.
And don’t forget that both the British Parliament and Brussels have asked to hear Zuckerberg and FB. From that to Brexit… Again, there are some very powerful interests involved here.
European legislators have finally nailed the GDPR – as far as timing is concerned at any rate. Something else might just happen to strike a blow at Google again now, who knows?
In a nutshell, leaving politics aside, you have to make sure that your campaign, collection and storage methods are legal and that your data will be looked after appropriately. And I wouldn’t mind betting that this FB affair is going to electrify the whole GDPR issue. In his act of contrition, Mark Zuckerberg said he thought a strengthened legal framework was needed in the US… but not to the same level as in Germany! In saying this, he placed FB outside the GDPR framework. That means we should have some nice debates to look forward to!
GDPR: how is it going to affect business?
Bit by bit, in response to these new constraints, the techniques for converting traffic into voluntarily identified users on a brand’s own platforms will become really important, much to the joy of companies selling marketing automation solutions and dev in general… and to the horror of the retargeting sector, which restricts consumers’ choice, even when they leave the brand’s particular internet universe. So Criteo shares are now worth only half what they were worth in mid-2017…whereas Apple is promoting itself as a champion of privacy!
Data-construction and mass email purchasing are over now too… long live voluntary sign-up strategies and offering better content that finely targets your website. That kind of thing is legal.
Your Marketing consultants (and I really pity our team by the way Revsquare), are going to have to help clients find their way through the minefield whilst still helping them to increase their market share! That’s some challenge! On the technical side, it’s a little less complicated. Make sure you are given the specific GDPR calculations so that you can show them if there is an inspection. We’ve already started, we will not be sending out any more quotes that don’t show these costings.
The General Data Protection Regulation (GDPR) comes into force on May 25, 2018. Further information: