We are at the implementation stage of GDPR, and in London, the center of the European advertising industry, people are finally coming to grips with the notion of fines. Our friend Kevin Marks attended the #GDPRInnovation event at Digital Catapult and did an admirable job of live tweeting the remarks of some of the speakers.
James Leaton Gray, head of the Privacy Practice, used to be head of the BBC’s Information Policy and Compliance Department, in the BBC’s Legal section. There he oversaw the operation of the Corporation’s systems for compliance with the Data Protection and Freedom of Information Acts. Before he left the BBC he led the development of privacy and data governance for myBBC as it developed its big data capability. He also provided expert advice on media and privacy and lobbying for the proposed EU GDPR. Here is Leaton Gray’s take on what’s coming for the EU and by extension the UK and US.
The GDPR fines have gotten boardroom attention, when those of us wittering on about data for years have been ignored. But more significant than the fines is GDPR stopping you from using your marketing database without new consent. Because the Data Protection legislation is principles based and does not tell you exactly what to do, we are used to asking all sorts of questions and not being sure how we use it; vendors are still selling databases that can’t be updated. But GDPR extends the Data Protection principles, and now the use of data must be Fair, Lawful and Transparent too. Most existing media systems are not transparent at all. Transparency means you need to tell people why you are collecting the data, how long you’ll keep it, what you will use it for, and explain it in clear language, not legalese
The Data Access Rights mean that you need to enable people to correct and erase data you hold on them, and export it. And if you use the right to erasure, you will also be take off the marketing suppression list, so you will get untargeted marketing. Consent is not specifically defined to be ‘freely given,’ meaning it can be withdrawn. It also needs to be affirmative, so it’s no longer possible to use default checked checkboxes. Instead, what we need is Privacy by Default – we get there through Privacy by Design, after doing a Data Protection impact assessment.
While the public sector already has data breach mandatory reporting, it is new for the private sector and needs planning for. There is data everywhere; we are swimming in it and we don’t always notice when a bit goes missing. We now need to know that.
The Journalism exemption to GDPR is a bit of a tricky boundary; marketing of programs is not covered by a journalism exemption.
As media we are used to people talking to us. We ask for comments and get them. In the longer term will media want to talk to people more? As we move from broadcasting to more personalised streams, we need information about the audience to provide that personalization. But as companies have to send out GDPR marketing re-consent emails, they are having to give consumers incentives to sign up again.
People are realising that they need an intermediary between them and news or information, but it no longer is our media organisations. We have seen trust in online services drop over the past ten years. But if we want trust we need to be transparent about records of processing, where the data is, how it flows, retention schedules, breach notifications.
And some media companies are asking “do we need this inaccurate data from adtech? could we do it ourselves?” Of course they could. But will they?