Come May 25th, 2019, GDPR will turn one year. Was it successful or did it just scrape through? One year is too short a period to judge the success rate of any regulation, especially one of the scale and sensitivity of GDPR.
Mathias Moulin, Director of CNIL, the independent French administrative regulatory, stated in an international panel discussion of privacy experts held at London that the previous year for GDPR “should be considered a transition year.”
Right now, GDPR has put into motion a transition for businesses. Although the regulation covers users residing in the European Union, it has definitely made ripples on a global level. Businesses that gave little importance to data protection are now in the process of revamping their entire approach to data. Stories of giants in the tech industry getting slapped with hefty fines are making everyone take data protection seriously. That is definitely a good thing.
If you’re new to marketing or are not familiar with the nuances of GDPR compliance, here’s a comprehensive guide to help you get started.
Fingers Burnt, Lessons Learned
Transition year or not, GDPR has already warmed up as a data privacy breach notification law. GDPR has instilled confidence in users, a sense of responsibility in organizations, and established authority for data agencies. A report published in February by the European Data Protection Board (EDPB) established that fact with certainty.
The report was EDPB’s first overview of GDPR implementation and gave accurate information on how GDPR was implemented, the number of cases received and their disposition thereof. Here’s a snapshot of the findings from that report.
As seen from above, Google was at the receiving end of a mammoth €50m fine. The fine was imposed by – CNIL (French data protection agency) for two reasons:
- Google failed to meet the transparency and information requirements under the regulation.
- A legal basis for data processing was not obtained.
Like Google, several other organizations in Austria, Portugal, Poland, and Germany have also been charged with fines for unlawful collection and access to user data.
How GDPR Transformed the Approach to Data Protection
Until GDPR was enacted, the number of breach notifications or complaints were literally zero. The erstwhile 1995 Data Protection Directive gave each individual member nations of the EU (European Union) to create their own data protection and regulation laws. As a result, the approaches varied from country to country in the EU.
While some countries mandated the need to notify users of a breach, a handful of other countries required only to report breaches to the authorities. As a result, the big picture of data protection of users and how to notify a breach was distorted.
GDPR swept all that way with a single stroke. It introduced a single charter which made it mandatory for data collecting organizations to establish data protection measures, have a legal basis for data collection, and also report instances of data breaches to both authorities and users. In fact, it also lay down a time frame of 72 hours to issue such notification.
For users and marketers, one highlight of GDPR is the treatment of privacy notice.
Privacy Notice — Transits from Greek and Latin to Plain English
GDPR put into place stringent measures that require organizations to take user consent before collecting data for processing. But, the problem is, nobody reads a 100-page privacy notice or terms and conditions unless they are paid for it. All users voluntarily click on the “I Agree” button without going through the terms which defeat the entire purpose of GDPR.
To tackle this challenge, GDPR lays down certain conditions to be followed while writing a privacy notice. They are:
- Written in clear and plain language, particularly for any information addressed specifically to a child
- Delivered in a timely manner
- Provided free of charge
The official GDPR website also offers a template that can be used to ensure compliance.
Today, almost every mobile app and website displays a pop-up or notification that seeks the user’s consent to collect their cookies or data.
GDPR has shaken things in the mobile app marketing space. And it will continue to streamline in the days to come.
GDPR Compliance in Mobile App Marketing
If you are a business manager, you ought to know that the data you collect from prospects, customers, employees or even visitors to a building is now under the purview of GDPR.
As a business owner, how should you tread the future to ensure GDPR compliance?
Following these steps should help.
1. Ask for explicit user consent
Don’t trick customers into giving consent with auto-filled forms, already opted-in checkboxes and so on. Design sign up forms and fields in such a way that users give explicit consent to sharing their data.
2. Be transparent about data collection
Tell them what you collect. Is it browsing the history, cookies, real-time location, contacts, messages, images stored on the cloud — every byte of data that you collect from users should be made known to them.
3. Practice privacy by design
If you are in the process of building an app, it is the perfect time to ensure that the app is designed to provide privacy to users.
4. Respond to subject access request
Every request from the user to provide access to their data like profile, media, past transactions, etc. should be responded to. A copy of the data should be given in a commonly used electronic form.
5. Allow users the right to erasure
Every data you collect and store about the user must be erased upon the explicit request of the user.
6. Appoint a Data Protection Officer
Depending on the factors of data subjects, data collected, the period for which data is retained and geographic spread of data collection, a data protection officer may have to be appointed.
7. Tighten user data security
Ensure that all forms of customer data are secured using the best possible hardware and software. Data stored on the cloud should ideally be secured using encryption or similar techniques.
8. Review the services and tools you use
The user data that you share with third-party marketing tools and services also fall under the purview of GDPR. The regulation requires signing a Data Processing Agreement with the data processors as well as ensuring that these third parties who are processing your user data are also GDPR compliant.
For example, MoEngage has updated the platform to ensure that each client is able to respond to individual data subject requests. Read our GDPR policy to know how we ensure total compliance.
From Amazon to Zappos, almost every business runs on data fuel. 90% of the marketing and personalization is crafted with the help of data analytics. And, data is used not only by analytical teams but also by other personnel in the organization like sales teams, marketing, customer support, human resources, facilities management, and security teams.
GDPR lays down specifically the several measures a business must take to ensure user data protection. If your business has a mobile app or leverages user data for marketing, GDPR compliance is not an option, but a mandate.