GDPR in Digital Marketing: Introduction to GDPR


Introduction to GDPR

Here at the Auténtica blog, we’re giving our readers the knowledge and tools to be able to confidently market their business online. We’re going to discuss GDPR and GDPR responsibilities in digital marketing. Understanding and complying to GDPR regulations should be treated extremely seriously as the result of a data breach can be a severe fine. 

What is GDPR?

The General Data Protection Regulation (GDPR) is a data privacy and security law that came into force on 25th May 2018.

It requires organisation to safeguard personal data and uphold the privacy rights of their consumers within the EU. (Kendal, 2021)

It is a European Union legislation which must be abided to by any business that collects and stores information about EU visitors to their website. The UK are still regarded as included during Brexit negotiations. To comply with GDPR, policies and legal issues need to be put into place to protect the customer data a business collects and stores.

GDPR in Marketing

According to GDPR regulations, personal customer data can be used by an organisation for marketing purposes if there is a 'legitimate interest’; an interest held by an organisation or third party. It can involve anything from individual interests, commercial interests to benefiting the society. The interest is compliant to GDPR if the business can “show that how they use customer’s data is proportionate, with minimal privacy impact, and that they would not be surprised or likely to object.” (Kendal, 2021)

GDPR Digital Marketing Responsibilities

In the food industry, personal information could include “information collected through loyalty card programmes, mailing lists and e-receipts.” (GDPR Update: Data Security in the Food & Beverage Industry Mason Hayes Curran, 2018) 
For a website visited by EU customers, GDPR applies to analytics data, cookies, EU cookies directive and privacy policy. Data collected via social media marketing and email marketing also apply. A digital marketer's responsibilities under GDPR could be categorised by 5 titles; data processing, data consent, data retention, data transfer and data deletion.

(Duffy, 2021)

In the case of data deletion, the consumer has the ‘right to be forgotten’ under GDPR.
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.” (Wolford, 2021) 
It allows the consumer to remove their digital footprint permanently the systems of one company. 

Consumer Privacy Rights

In a way, GDPR is a give and take process. For Businesses personal data can be used to analyse consumer needs and wants, then tailor their offering to cater to these aspects which can increase the value of their product or offering. Presenting targeted ads that are more relevant to the consumers’ needs can build trust in the customer relationship and increase efficiency.
For customers, whilst giving up personal data, the consumer is benefiting from being presented with solutions to these needs in exchange. 
GDPR fights to uphold a consumers privacy rights. Under GDPR they are respected and empowered as information about how their personal data would be used by an organisation is made available to them, and presented in a way that is easy for anyone to understand. More control over the privacy and use of personal data was granted to the consumer as they are now able to change these settings according to their preferences in a straightforward and accessible way. 

Transferring Personal Data

Under GDPR, consumers can now download all of their personal data currently being stored by a company. In a journal published by Sapienza University of Rome, Bufalieri et al conducted an experiment analysing how 334 websites complied to GDPR in their procedures, specifically “websites that store personal data linked to identified users.”(GDPR: When the Right to Access Personal Data Becomes a Threat, 2020) 

“In some cases, we requested both the data access and the data export. Comparing the two sets of data, we find that the data export has much more information. For instance, in the data access file only account information has been provided. Instead, in the file of the data export are present also details about every session we have done, the IP, and information related to our operating system and the browser. So it is unclear why this information is provided only with one of the two requests.” (GDPR: When the Right to Access Personal Data Becomes a Threat, 2020)

It's my understanding, in this scenario, if a consumer only requested access to their personal data, any additional information held that is available in the download might not be disclosed in access, which is deceptive and goes against the principle of transparency behind GDPR.

An analysis of their internal procedures for sharing personal data revealed the personal data could be vulnerable. “We received most of the personal data by email. 82 of these shared data as a plain file or a zip folder without using any security measure” which they described as risky particularly if sent to the wrong participant. According to this source “sending personal data as an encrypted file is a best-practice encouraged by companies, universities, government authorities, or as part of the GDPR interpretation.” (GDPR: When the Right to Access Personal Data Becomes a Threat, 2020)
Security issues were also found when encryption took place. 
We also found 3 interesting cases, where the controllers correctly encrypt the data and send the password on a different channel. However, a careful observer can quickly note that the passwords used to encrypt the data follow a pattern based on the requester data. (GDPR: When the Right to Access Personal Data Becomes a Threat, 2020) 
The pattern was taking the account user’s date of birth and full name to make the password, which I feel would be an open door in the eyes of a hacker.
 

Breaching GDPR regulations

A data breach of GDPR regulations could result in a drastically high fine and severely harm the businesses reputation, causing distrust amongst consumers. 
In 2019 BBC News reported “British Airways is facing a record fine of £183m for last year's breach of its security systems.“ (BBC News, 2019) Issued by the Information Commissioner’s Office (ICO) “The ICO said it was the biggest penalty it had handed out and the first to be made public under new rules.” (BBC News, 2019) British Airways publicly declared it was caused by an attack carried out by hackers which ICO confirmed. 
The ICO said the incident took place after users of British Airways' website were diverted to a fraudulent site. Through this false site, details of about 500,000 customers were harvested by the attackers.(BBC News, 2019)
One significant change that went the new GDPR regulation was that the ICO “increased the maximum penalty to 4% of turnover. The BA penalty amounts to 1.5% of its worldwide turnover in 2017, less than the possible maximum.” (BBC News, 2019) For a small business, losing 4% of turnover could be devastating. 

#GDPR #DataPrivacy #DataProtection #PrivacyRights #DataAnalytics

Author: Elizabeth Duffy
References:
Mhc.ie. 2018. GDPR Update: Data Security in the Food & Beverage Industry Mason Hayes Curran. [online] Available at: <https://www.mhc.ie/latest/insights/gdpr-focus> [Accessed 30 March 2021].
Kendal, N., 2021. Information on GDPR.
BBC News, 2019. British Airways faces record £183m fine for data breach. [online] Available at: <https://www.bbc.com/news/business-48905907> [Accessed 30 March 2021].
In: 2020 IEEE International Conference on Web Services (ICWS) ICWS Web Services (ICWS), 2020 IEEE International Conference on. :75-83 Oct, 2020. 2020. GDPR: When the Right to Access Personal Data Becomes a Threat. [online] China: IEEE, p.2, 5. Available at: <https://eds.a.ebscohost.com/eds/detail/detail?vid=0&sid=4be0b9b9-39ba-49bc-94f6-177c64432b31%40sdc-v-sessmgr02&bdata=JkF1dGhUeXBlPWlwLHNoaWIsY29va2llLHVybCZzaXRlPWVkcy1saXZl#AN=edseee.9283991&db=edseee> [Accessed 31 March 2021].
Wolford, B., 2021. Everything you need to know about the "Right to be forgotten" - GDPR.eu. [online] GDPR.eu. Available at: <https://gdpr.eu/right-to-be-forgotten/> [Accessed 31 March 2021].
Duffy, E., 2021. Responsibilities of a Digital Marketer for GDPR Compliance. [image] Available at: <https://www.canva.com/design/DAEaUrvTBk8/EKVnNDa0StmXrR6wjQRKeQ/view?utm_campaign=designshare&utm_source=sharebutton> [Accessed 1 April 2021].
Sources:
Photo by Jack Sparrow from Pexels
Photo by Lawrence Suzara from Pexels

Comments

  1. Thank you for writing this article, it is informative and useful, particularly the 5 categories of responsibility for a digital marketer.
    It is a good point that GDPR is beneficial to both customer and marketer in that it allows more relevant and effective content to be shared with customers.

    ReplyDelete
  2. This was a really interesting piece - slightly worrying to read how easily one company's solution to a secure password can be guessed (full DOB & name) and the zip/plain folder scenarios - as we've seen too many times, all it takes is a typo in the email address and files go to the wrong person. Thanks for writing this!

    ReplyDelete
  3. Author Deirbhile


    The restaurant sector has experienced substantial changes and effects from the global pandemic. One of the new major changes is the responsibility to comply with customer track and trace rules for each and every customer a business has. This presents restaurants with a new source of customer data collection, as data protection is a human right under the GDPR guidelines any customer information that is stored in a public place must be safely stored and not visible to other customers. Restaurant owners should consider implementing a strong approach to gathering this customer information in order to avoid any fines when they all safely reopen.

    ReplyDelete
  4. That was a very well-written and informative piece, thank you. While GDPR can be a difficult field to navigate for businesses, it is important not to forget that it does have some benefits for businesses as well as the consumer.
    Levels of compliance and consideration for the customer's privacy can be worn as a badge of honour and increase the reputation of any brand with its audience.
    GDPR compliance also encourages companies to filter out any irrelevant or non-compliant consumer data, allowing for customer relationship management (CRM) tools to hold a much more refined and relevant data set, allowing for more effective marketing (Kendal, 2021)

    Reference:

    Kendal, N., 2021. Information on GDPR.

    ReplyDelete

Post a Comment

Popular Posts