Living in this digital age, where privacy and security are some of the biggest ethical challenges we are facing, GDPR comes, right in time, to force every business to re-approach the way they interact with consumers and respect their privacy rights. Its purpose is not to stop businesses from processing personal data, but ensure everyone is transparent, properly protects customer data and there are no unfair or deceptive practises.
Before GDPR was introduced, there were many areas of concern, including how data was stored, backed up and accessed, so the new data privacy regulation is designed to bring clarity and strengthen European citizens’ privacy rights. With GDPR fast approaching, the question is: ‘Will you be ready when the regulators come knocking?’ We strongly believe that compliance is a collective responsibility, so we would like to urge every performance marketing network to review and understand its role and responsibilities before it’s too late. Here’s what you need to know to ensure your compliance:
Get to know your users
If someone asked you ‘What kind of data do you hold for each of your customers, employees and third-parties?’, would be 100% sure about your answer? You can’t protect personal data, if you don’t know which data you are currently processing. This calls for data mapping – the process of where you create a record of all the personal you hold, including data items (names, phone numbers, email addresses, occupation, etc), format (hard copy, online data entry, database), transfer method (post, telephone, internal, external) and location (office, cloud, third-parties). This will help you see where your data resides and implement measures to reduce the risk of any potential information security breach and understand who should be accountable in that case (data controller or data processor).
Audit your partners
One of the most urgent actions is to review your relationship with your third-parties and assess if their current processes confirm their GDPR compliance. This could be done by carrying out due diligence – this is where you evaluate their security, privacy and confidentiality practices to confirm whether they are compliant with the recent data regulation and continue to regularly audit them to ensure they keep doing the right thing.
For example, at Marketing Town, we have managed to simplify and accelerate the due diligence process using customisable compliance questionnaires. Given the accountability requirements imposed on both controllers and processors under the new regulation, we have developed the means to assess each and every third-party during the onboarding phase and keep monitoring their behaviour on a regular basis. From our experience, we would like to advice everyone to see this as an opportunity to have a closer relationship with their partners and ensure everyone handles data appropriately.
Document policies around processing
Whether you are the data controller or processor, it is your responsibility to keep a record of your all your processing activities. This will not only help you go over your current practices and evaluate whether you meet the requirements, but also ensure you have the evidence to support your claims in the event of a compliance investigation. Please note that all documentation must be in writing or in electronic form.
As part of your journey to GDPR, your public statement of how your business applies data protection principles to processing data should be kept updated. The privacy notice is for data subjects to know on what you collect, what you do with it and why and therefore should be easily accessible to everyone visiting your website or dealing with your company. Being able to be transparent and provide accessible information will be key in helping individuals understand why they should opt-in in the first place.
Determine your data controllers and processors
If your business, uses third-parties, sub-contractors and other networks to assist you in providing your services, you should let users know of the scope associated with sub-processing. Customer relationship management systems, plugins, affiliates and email service providers are some examples of the kind of third-parties you should include in your privacy notice. It is therefore important to determine who are those data processors (those who process data on your behalf) and sub-processors (processors who have access to personal data) on your page, creating a list of all those parties who are authorised to process personal data or have access to it. It is in your hands to make the processing of personal information fair!
Have a clear opt-in procedure
Not long from now, marketers will need to prove end user consent to subscribing to receiving marketing communication from them. An easy way to do that is to have users confirming their signup via a verification link sent directly to their inbox. The advantage of having such process in place is that websites under a performance marketing network can confirm that new subscribers are valid and are in line with the new regulations.
Implement appropriate technical measures
GDPR is not only about data audits and consent. Technical and security measures are equally as important as organisational policies. We live in an era where data has become a type of currency and with the increasing number of data security breaches, you should implement strict external and internal measures. Although most security breaches are occurring due to outside threats, there still numerous breaches which happen due to internal negligence or deliberate compromise. To show that you have considered and integrated data protection in all your processing activities, you will need to show that you have the appropriate security measures in place for incident prevention, detection and recovery.
The GDPR signifies changes that all businesses will have to adhere to and specifically, for performance marketing networks, it is important all publishers to be more transparent on data collection and usage practices, while ensuring all their processes are secure and in line with GDPR. Lastly, you should remember that the 25th May 2018 is not the deadline, but the start of the new age of data privacy. We should all strive to create a sustainable and strong culture of compliance!