With approximately nine months to go before the General Data Protection Regulation, or GDPR, takes effect on 25 May 2018, many brands have wrapped up the assessment phase of their readiness projects and are well into the internal process change phase.
While that work is getting done, Privacy Officers are rightly thinking about the final pieces that need to be put in place, namely how to be transparent to their consumers about their data practices—what the company collects and how it uses that data—while also giving the individual an easy to use way to actually control his or her data.
Afterall, that’s the whole point of the GDPR, to give control over personal data back to the individual. If an organization doesn’t do this last bit, then the millions spent on analysis and process-change has been a big waste of money.
Transparency is tricky and sometimes a bit amorphous because you have to meet a lot of legal requirements (thus, the lawyers and pervasiveness of legalese), while also balancing how to speak clearly and simply about your data practices. I should know. I’m the privacy lawyer at Evidon, which has built its business on helping companies solve that tricky problem.
While it’s difficult to argue against transparency as a business practice, it’s codification into law makes it a quantifiable risk for companies subject to the GDPR so the gravitational pull toward legalese is great. However, managing risk with dense legalese doesn’t work so well as a communication strategy with your consumers and I understand that as well.
Given this paradox, is a privacy policy the gateway to transparency?
Certainly, some will decide yes and will make sure their new privacy policies, have all the right GDPR disclosures. But that really isn’t transparency in the common sense understanding. Really, that is legal transparency and good luck with that. It’s the wrong approach. There are other options out there. Some companies will build their own transparency tool. And then there is a host of private sector transparency solutions hitting the market, including Evidon’s Universal Consent Platform.
If an organization wants to comply not only with the letter but also the spirit of the GDPR, then it should consider not only making the necessary changes to its privacy policy, but also having an external facing and easy to use tool that clearly communicates — in plain language — what it’s data practices are and how consumers can exercise their new rights. That’s consumer transparency and it’s a very different beast than legal transparency. This consumer-facing transparency tool is the consumer’s bridge to the GDPR. Like most bridges, it also goes in the other direction, so it acts as the company’s bridge to the consumer as well.
Quite likely, we’ll see transparency platforms emerge and evolve to become the primary collaboration tools between companies and their consumers.
But before we get to the future, let’s deal with the present, and that means getting transparency correct. Once that is in place, then the complex GDPR flow of obligations and rights can naturally follow. For example, by definition, a person can’t provide valid consent unless she is first informed what she is consenting to. Therefore, transparency, another name for notice, must precede consent, and by extension all consumer choices, such as exercising the new individual data rights, and managing the data an organization or its partners collect about her.
Actual consumer-friendly transparency will be the last solution deployment for many organizations, but probably the most important. Simply put, it will be the most important thing a company does because GDPR enforcement by the EU’s greatly empowered data protection authorities, will come first and foremost here. It’s low hanging fruit for them. It’s what they can most readily see–all they need to a browser and time to tick from website to website or app to app. At each stop, they’ll look for a consumer-facing transparency tool layered on top of a rights management platform so the consumer can give or withdraw consent and do all the other things she’s entitled to under the GDPR.
Getting on the regulators’ good or bad list will be binary. If you end up on the bad list, potential fines could be up to €20 Million or 4% of your global turnover, whichever is more. Whatever the amount, it will be a painful moment for the privacy officer when she explains to her CEO and Board of Directors that the company was fined because it didn’t have a communication tool in place.
Also read: Is Whitelisting a Win-Win for Brands and Influencers?
Comments are closed.