250ok (1)

Consent and Data Collection Under GDPR

The following blog post was written by Matthew Vernhout, Director of Privacy & Industry Relations at 250ok.

Privacy rules are changing, and the way brands interact with consumers is becoming fragmented by international borders. Consumers are becoming more savvy about their personal data, thanks to the number of data breaches and businesses constantly in the news due to privacy concerns. It’s time to start thinking about one policy for data collection and data management compliant with all global policy. If you don’t have something like this already in place, you might be behind the eight ball and at risk of punishment for various infractions.  There is no time like the present to get started.

How you collect consent from your consumers should be something consistent and easily replicated, regardless of where your business operates. I mean, do you like the thought of someone getting preferential treatment and better accountability from a vendor than you, just because you live in a different country? Doubt it! I bet the thought really burns your chops.

How can I determine the proper type of consent to use?

Many marketers are still confused about proper consent requirements when messaging their clients and prospects. Consider the requirements for data collection under the GDPR, ePrivacy, Brazil’s new privacy law (GDPL), or California’s new Consumer Protection Act when you’re looking at your data management practices. Start with the idea that any time you request access to someone’s data, you take into consideration the requirement to be transparent in what you’re asking, how you plan on using the data, and how long you plan on using it. GDPR states:

“The data subject must be in a position to learn of the existence of a processing operation and, where data are collected from him, must be given accurate and full information, bearing in mind the circumstances of the collection.” (Article 38 of the Directive(95/46/EC)).

In short, be clear about your intentions,  any potential for a third party to process data on your behalf, and how a person can withdraw their consent in the future. This idea is becoming a standard in privacy legislation around the globe, so this should be your standard.

Since we are talking about the GDPR, let’s look a bit deeper into Article 6, which outlines six key types of lawful processing. Recital 40 through 48 further describe each of these terms:

  • Consent: The data subject gave consent to the processing of his or her personal data for one or more specific purposes
  • Performance of a contract: Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract
  • Compliance with a Legal Obligation: Processing is necessary for compliance with a legal obligation to which the controller is subject
  • Vital interests of the data subject: Processing is necessary in order to protect the vital interests of the data subject or another person
  • Public interest: Processing is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller
  • The legitimate interest of the data controller: Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child

But which is the best type for my organization?

Take a look at ways your company can build a best-in-class privacy program that will stand up to top-tier privacy legislation around the globe. Building privacy into all of your processes to avoid some of the simplest privacy snafus, like data breaches without proper encryption on important data points such as passwords.

When you’re looking to standardize your processes, you need to balance your company’s objectives and your need to comply with relevant legislation around the world. Start with asking for consent, and providing a clear and easily understood statement (written in plain language) to describe how you plan to on using the information. For example, under Canada’s Anti-Spam Legislation (CASL), your request for consent must be a positive action, separate from other actions, with a clear statement on how a subscriber can later unsubscribe from messages, accompanied by your brand’s contact information (postal- and web-based).

I’ve heard mentions of sensitive data, but what does that mean?

There are data points and then there are sensitive data points. These could include items that may cause embarrassment or true harm to an individual if they were to be shared without consent. Depending on the geographic region, sensitive data items could include race, genetics, health, financial, religion, minors’ data, or sexual orientation.

250ok

Special category data should only be collected on a need-to-know basis, but really, that’s a good rule of thumb for all data collection, special or otherwise. Data minimization is a strong privacy tool to use. For example, if you want to send a birthday note, consider collecting only the day and month, without the year. Perhaps skip asking about gender if you don’t plan on using it for any purpose other than an internal demographic.

Being cognizant of consent and transparency is the first step to building a strong, privacy-first program providing consumers with an easy-to-understand request. Building in strong technology to keep that data secure and protected is necessary, especially as regulators start to tire of breach notification after breach notification, coupled with the number of mandatory reporting laws coming into force (GDPR May 25, 2018, and on Canada November 1, 2018). It’s wise to stay ahead of the curve and be safe, rather than sorry. Your customers will thank you for it.

*Editor’s note: This is not intended as legal advice, but a practitioner’s interpretation. It is highly recommended you seek your own council’s opinion and understanding of your responsibilities under the appropriate global legislation.

 

Want to learn more about our visual experience platform?

In this guide, you’ll learn how Movable Ink’s platform helps digital marketers create unique experiences at scale across email, web, and display – all while streamlining production and supercharging their existing martech stack.