GDPR - is it good or is it bureaucracy?

July 24, 2016 1:43 PM

 

documentation3

Leighton Jenkins responded to my Secret Sauce presentation on Slideshare with this question about the new EU General Data Protection Regulation (GDPR):

“GDPR – is it good or is it bureaucracy?”

 

tl;dr / exec summary:

GDPR introduces a ton of new bureaucracy for Marketers that may require a lot of effort;
however, with a bit of forethought, you can make this situation work for you.

 

Leighton asks a seriously good question that deserves a lot more than a 140-character reply. So here’s the Issues, Impacts & Options analysis:

 

The Issue: does GDPR involve more Bureaucracy for Marketers?

Yes. There’s absolutely no doubt about this.

The full wording of Recital 82 is:

In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.

For those still in doubt whether record-keeping and documentation is important, Article 30 is entitled “Records of processing activities”.

Paragraph (1) states:

“Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.”
(Specific details follow in sub-paragraphs a to g.)

Paragraph (2) clearly states that each data Processor

“… shall maintain a record of all categories of processing activities carried out on behalf of a controller”.
(Specific details are described in sub-paragraphs a to d.)

 

The Impacts for International Marketers with EU Customers

First:

Let’s remember the context. The Recitals and Articles of GDPR refer to the storage, processing and monitoring of the Personally Identifiable Information that belongs to EU citizens.

Second:

It doesn’t matter where in the world the processing is done or who it is done by: if the data refers to an EU citizen, the law applies to you. CMOs of international business, please take note.

Third:

Let’s bear in mind that EU law takes a very broad view of what constitutes Personal Information. So broad in fact that the safety guideline that I recommend to Marketers is: “treat all Data about EU Customers as Personally Identifiable Information” – especially when working in the context of Personalised or One-to-One marketing.

Now for the big one:

In case you were hoping for room to wriggle – forget it. Article 30, Paragraph 3 states:

“The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.”

In plain language: any marketer who crunches data that can be personally identified as belonging to an EU citizen must document pretty much every Touchpoint in writing.

The summary is this:

  • To date the Marketing profession has – by and large – been pretty much free to get on with its job without any obligations to record or document activities, or to prove compliance with the law to external bodies.
  • For those Marketers who ‘analyse, process or monitor’ data of EU citizens, that situation has now changed radically.
  • Record-keeping will be part of the daily grind from May 2018. And those records must be available for inspection by EU Data Processing Authorities ‘on demand’.
  • Marketing departments that communicate into the EU must now address compliance with GDPR in much the same way that Finance departments have had to comply with Sarbanes-Oxley.

 

IMO:

GDPR accelerates a huge culture shift for the Marketing profession.

We were already on the road to Accountability via measuring results and calculating RoI. As well as having that carrot in front of us, we now have the Compliance stick behind us and a firm deadline for implementation.

The Stick by the way, is the administrative fine for non-Compliance applicable after May 2018. In the case of Article 30, the fine can be up to € 10 million or 2% of global turnover – whichever is greater. (See GDPR Article 83).

 

The Options for CMOs

Does not Apply

Paragraph 4 of Article 30 uses tortuous language to describe a set of conditions that might offer a let-out. You’ll need to discuss that with your lawyer. Good luck.

Argue with the Fine Print

You could try arguing in court the difference between the “should maintain records” of Recital 82 versus the “shall maintain a record” of Article 30, but to be frank, you’ll probably need very deep pockets and even then the chances look slim. Again: ask your lawyer.

Set limits to What needs Documenting and How to Do It

Working with your lawyer / Privacy Officer on this sort of strategy is probably a very smart idea. Raise the subject now (end July) and your company legal counsel may be able to fit in a meeting around September. (Yes, they are that busy). Use the 4th quarter 2016 to work with them to define the Action Plan and use 2017 to implement the Processes that must be in place by 2018.

The MarTech – Privacy Collision

CMOs of Mid-sized organisations or EU Divisions of global corporations should be warned that Corporate Privacy Officers will possibly blow a gasket when they begin to see the extent and depth of Personally Identifiable Information in your MarTech Stack. Currently, relatively few lawyers have any great understanding of the implications of One-to-One Marketing. These meetings will require stamina and diplomacy on both sides.

Make it work for you

By raising GDPR Compliance as a ‘no-option’, ‘must-have’ strategic issue for the entire company at Board level, CMOs can set priorities and allocate resources for 2017 budgets. If you miss this budget cycle, there will precious little time – just January to May – to become compliant in 2018.

 

CAVEATS:

  • Crafted with care by a Marketer for Marketers, but use at your own risk.
  • None of this constitutes legal advice.

 

Copyright Andrew Sanderson July 2016