If you're part of an EU based organization - or even one that interacts with an EU-based organization - May 25th of next year (2018) will be a pivotal moment for you, or at very least for your IT and marketing departments. That's the date when the General Data Protection Regulation (GDPR) goes into effect. If the acronym isn't familiar to you yet, rest assured that it will be soon.
By Mike Giambattista
ITProPortal dissected the new regulations and provides this primer for those of us who will be charged with managing this massive change in the way organizations capture, store and manage their customer data. According to Jeremy King, International Director, PCI Security Standards Council:
"The new EU legislation will be an absolute game-changer for both large organisations and SMEs as the regulator will be able to impose a stratospheric rise in penalties for security breaches, and it remains to be seen whether businesses facing these fines will be able to shoulder the costs."
The new GDPR regulations requires business to get the user’s consent to capture, store and process any data that might be use to individually identify the person. Complying with new regulations can be a challenge, but tracking shifting sands over time to remain in compliance is wholly treacherous. You see, GDPR allows the user to change their consent status in a fine-grained manner at any time and with ease. User ID elements include their name, email address, and phone numbers.
"One of the major data privacy issues the GDPR will penalise you for is if you unintentionally build a more complete picture of the user than you need to."
Note the use of the word "unintentionally" there. The implications to the use of that particular word are monumental. Money quote #2:
"This might happen if, for example, you store a cookie in a user's browser (for which you need their consent) and then link their mobile and web browsing data together in the cookie. This can unintentionally create a Personally Identifiable Information (PII) string of data about the user, even if you don’t actually know who they are."
Or, even more importantly for those of us working in the loyalty world … "This situation can get more painful in retail, where, for example, the retailer might capture user data in a physical environment with loyalty schemes, and combine them with their online e-commerce platform - without adequate user consent."
That"s not to say that collecting this information and combining it with other supplementary data sources is necessarily a violation. Rather the storage and usage of such compiled profile data is going to require many organizations to re-think their data policies.
Mike Giambattista is Managing editor at the Wise Marketer and is a Certified Loyalty Marketing Professional (CLMP).