Years ago, the world’s valuable commodities were things like oil, precious metals, soybeans and natural gas. Today, while those things have mostly kept their value intact, it can be argued that the most precious thing one can possess is personal data.
When advertisers, for instance, use data they collect to market to consumers in deep, personal ways, it’s a boon for them and their clients. That was data mining’s original purpose; to better understand and connect with an audience. In the past, advertisers, at no small expense, would have to invest in years of trial and error, focus groups and enlist experts in the field of psychology to identify, penetrate and transact with a chosen demographic but now, that information can be gleaned quickly thanks to advances in technology. Every move we make when we engage with the online world is instantly collected, codified and analyzed to tell a complete story of who we are. The events of the Spring of 2018 exposed just how susceptible we really are when it was reported that a British political consulting firm known as Cambridge Analytica, masquerading as an academic institution, acquired the personal data of approximately 87 million Facebook users. This monumental breach alerted the world that their privacy can be easily compromised.
GDPR stresses consent above all else. In fact, that’s really the entire point. While obtaining data, consent needs to be explicit, crystal clear and corroborative. According to Article 4 of GDPR, consent is defined as: “Any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.”
NOTIFICATION OF DATA BREACH
If a data breach occurs, the supervisory authority needs to be informed within 72 hours of the breach. If the privacy of any EU citizens is at risk, they need to be notified as well. Starting in 2018, you’ll need to be vigilant and acutely aware of any actual or potential data breaches that may impact customers or individuals located in the EU.
RIGHT TO BE FORGOTTEN
Pursuant to Article 17 of GDPR, every individual reserves the right to ask for the deletion of their personal data in situations when the data is no longer required: “…in relation to the purposes for which it was initially collected or otherwise processed.”
When it’s all said and done, unless you are an attorney with an intimate knowledge of the GDPR, resist the urge to go it your own way. It is highly recommended that you seek legal advice with an attorney specializing in GDPR compliance and that you involve your IT staff to give you further recommendations. Hopefully, this sort of transparency between brand and consumer will bode well for the future as it protects the integrity of both parties involved.