Recently you may have noticed your inbox filling up with pleas from companies and newsletter-senders the world over, asking you to confirm you’d still like to receive their missives.
The inundation is owed to Europe’s General Data Protection Regulation (GDPR), a set of rules governing how businesses operating in the European Union must handle data. The new rules were originally adopted in 2016, giving governments and businesses a two-year transition period to get their ducks in a row. GDPR officially comes in to effect May 25.
The regulation is not just about confirming email subscriptions. GDPR sets out important new rules that seek to rein in some of the data that companies and governments have been collecting on individuals. Once the regulation is implemented, it will inherently change the game for marketing departments whose purpose is to compile and interpret data analytics to gain a strategic business advantage.
For instance, in order to continue collecting and processing people’s personal data, organizations now must seek out express consent by explaining what they want to do with, and who will have access to, the data. Meanwhile, the right to be forgotten enables people to steer the ship on data collection by allowing them to withdraw their consent at any time and request their data be erased.
We spoke with Aquent privacy director Martin O’Malley and Peter Lincoln, the company’s information security director, about how GDPR and other new privacy regulations are reshaping business around the world.
Q: Let’s start off with an easy one: What do you think about GDPR?
Martin O’Malley (MO): I think it's wonderful. I think it's a very well-thought out regulation, it's not prescriptive in what you have to do like a lot of laws are. It's a principles-based legislation, so you do what's right for the business considering the regulations that you're working in. If you have a very conscientious employer who's trying to do the right things, you should be in compliance and create a better trust model between your clients and your talent.
Peter Lincoln (PL): I think these regulations are always well-intended, but their outcomes are frequently best evaluated after they have been in effect for a while. Overall, the European Union right to privacy benefits all European Union citizens and it’s something that would be nice to see adopted globally.
Rules and regulations like EU-GDPR can help my cause in trying to push things along [on security initiatives], but in the same breath, they can also cause organizations to focus on just the rules themselves, rather than understanding that these laws and regulations are based upon existing standards that have been in place for a while. I try to maintain focus on the underlying standards (e.g. ISO 27001, NIST, Cobit, etc.). If organizations focus on adopting at least one of the standards that are out there, they'll be well-prepared for any regulation.
GDPR formalizes a lot of piecemeal laws that were in place for years in the EU and its member states, by consolidating it into one cohesive framework. How are companies impacted by these changes?
MO: On a continental level, the EU is recognizing privacy as a human right. They want companies to be looking at data, not just from a security perspective, but throughout the company's whole operational structure — whether it's sales, whether it's marketing — and how they're processing and protecting the data.
The biggest thing from a U.S. company's perspective is: How do we respond to these requests from individuals to have their information deleted or modified, or just to know what we are collecting about them? That's a new concept that's embedded in GDPR.
American privacy laws haven’t yet been overhauled to reflect current technology. Will GDPR have a positive impact on privacy and data security rules in the U.S.?
MO: When it comes to privacy, the U.S. takes a very sector-based approach. There's the Gramm-Leach-Bliley Act which focuses on privacy rights in the financial world. There's HIPAA, which focuses on the medical world and privacy. I just don't think there's any appetite in Washington for major privacy legislation, and maybe that's OK, considering the way we operate. All 50 states plus Puerto Rico now have some kind of privacy breach notification laws. We also should note that California actually has on its November ballot a privacy regulation that would be like a GDPR-lite.
Privacy rules like GDPR are often framed as a downside to business, but there are some advantages to being a leader on privacy in business, right?
MO: The GDPR final regulation has been out now for several years. Last year, Japan revised its privacy regulation (Act on the Protection of Personal Information) to align with GDPR — so, Japan is actually ahead of the curve as far as privacy rights and regulations, and that gets very little attention in the U.S. Aquent has four offices in Japan, and we're very interested in the Asian market.
The EU has adequacy tests to see what countries you can transfer data to. Japan will soon probably get an adequacy level that would allow companies to transfer data to Japan from Europe without any agreements, because their national privacy regulations are so strong. A few years back the U.S. attempted to get adequacy recognition, and it failed miserably. So, that's going to be a big win for Japanese businesses dealing with Europe.
How can companies that work with freelance and temporary creative and marketing talent get a handle on GDPR and other privacy regulations?
MO: It starts with training. At Aquent, we revamped our training in order to address GDPR and to make our customers and staff more aware that we're entering a different world.
At Aquent, our creative talent are very much part of the company, and they're very important to the company from a privacy perspective. We tend to think of their privacy, their data, in three main points: Control — we never sell their data to a third-party. It's all controlled by Aquent. If they want their information deleted even before GDPR, we would respect that. Second, we like to inform the talent, as much as possible, what we're doing with their information. Thirdly, Aquent is very much accountable for doing what we say we do. If we say we're doing something with the creative talent’s data, we'll make sure we're doing so.
PL: I think this is kind of reminding me of my concerns about all these laws and regulations, and this I think is particularly pertinent to creative and marketing staffing. With all the laws and regulations, there's this intense, laser focus on PII (personally identifiable information), one of the topics that is important for our clients to be aware of, is that there's a whole lot of other valuable information for an organization that's not personal — their brand, their plans for their branding, all that proprietary information, is very valuable. Clients should take that just as seriously, because once you lose control, you can never get it back. It's best for the clients to figure out how they're going to work in a staffing environment prior to going down that road.