New privacy legislation requires radical change of direction
From May next year, companies will be required to fully comply with the General Data Protection Regulation (GDPR). It’s not just a new rule, but a privacy regulation with far-reaching consequences. The possible consequences for companies that have not taken this into account include falling far behind the competition and receiving large fines. According to Riens Koopman, Director of Data&Insights at Yourzine, marketers and the creatives they work with are not sufficiently aware of this. He therefore advocates taking on a Data Protection Officer. ‘If you haven’t started already, then it’s now high time to get started.’
What are the most important changes with respect to the current regulations?
One of the changes is the replacement of the Personal Data Protection Act with the General Data Processing Regulation, which will tighten up the current privacy legislation in many respects. This means you will have to devise a clear, transparent way of asking your customers and your website’s visitors for permission to process their data. You must then communicate clearly about how you use their data. This doesn’t mean thirty pages of dense, complicated legal jargon, but a short, clear explanation in comprehensible language. In addition, they will receive more rights, such as the right to indicate that they do not want their data to be processed. The voluntary aspect will disappear. In short, the legislation will become stricter and more stringent. If you do not adhere to the new rules, you risk receiving fines that could amount to millions of euros. The political system gave parties two years to make amendments. The final date is now less than a year ahead. If you haven’t already started, then it’s now high time to take immediate action.
Among other things, you’re advocating appointing a Data Protection Officer (DPO). Why is it necessary to have a DPO?
First of all, government bodies and public organisations are always required to appoint a DPO, no matter what type of data they process. This may include the national government, municipalities and provinces, but also healthcare and educational institutions. The compulsory appointment of a DPO does not apply to the courts.
Secondly, this requirement applies to organisations which follow individuals on a large scale as part of their core business. This might include activities such as profiling people to make risk assessments, camera surveillance and monitoring of someone’s health via wearables. The number of people that an organisation follows is relevant in this, as well as the amount of data an organisation processes and the length of time it follows people.
Thirdly, organisations are required to appoint a DPO if they process special personal data on a large scale as a core activity. Special personal data includes information about someone’s health, race, political persuasion, religious belief or criminal background.
It’s also worthwhile for companies to have their own specialist in the area of privacy, even if they are not legally required to do so. This should be someone who knows all of the rules and therefore also how to anticipate related issues. For example, it’s easy to develop protocols.
More generally, I suggest that companies should be made aware of the privacy legislation. This therefore also applies to all parts of your company, particularly for the IT, Legal and Business departments.
A DPO costs money and this raises the question as to whether it’s cost-effective for a small to medium sized company to take on someone full-time.
It doesn’t have to be full-time as such; it could also be for two or three days per week, or on an external, ad hoc basis. It’s precisely among the SMEs that I notice there is inadequate awareness of the GDPR, probably due to a lack of experience and knowledge. That’s why it’s also important for SMEs to become acquainted with this issue quickly, and then act accordingly.
You talk about companies, but which sectors are you particularly targeting?
It’s relevant for all companies that process personal data, but I’m aiming more specifically at automotive, energy and electronics companies. For example, think about the IoT applications that they use, such as smart meters. These automatically give them a treasure trove of data, and for that reason it’s extra important to be much more clear about how to deal with this.
If it’s going to become so complicated, can you then also decide to make online marketing a less important part of your marketing mix?
Just as Procter&Gamble have completely stopped with online marketing, at least for the time being. No, that’s not the solution. You can still also be extremely successful with online marketing in the future. This is only about making sure that you do it in a relevant and transparent manner.