In the last couple of weeks, you may have noticed that every man and his dog have been receiving ‘Privacy Policy Update’ emails from all the companies they have ever shared their contact details with – either to join an email distribution list, or simply to receive news updates. These emails have been so popular, there has even been a Spotify playlist created in their honour.
(‘I Love GDPR’ playlist courtesy of Popjustice (https://open.spotify.com/user/popjustice))
The new European Union’s General Data Protection Regulation (GDPR) is the main reason behind these emails.
“But we’re not in the EU!” I hear some of you say. Well, every single company around the world that has ever dealt with EU residents – or may deal with them in the future – is expected to comply with this regulation from its enforcement date: 25 May 2018. Otherwise, companies may face hefty fines in the order of 4% of annual global turnover, or €20 Million (whichever is greater).
Since this type of fines represent a very powerful reason for compliance, companies around the world have been scrambling to update their privacy policy statements to comply with GDPR requirements. The full text of the Regulation can be reviewed here, but its principles can be narrowed down to: not having sufficient customer consent to process data or violating the core of privacy by design concepts.
Importantly, the concepts of ‘consent’ and ‘privacy’ are cornerstone in the GDPR. From now on, ‘consent’ must be given for any processing of personal data via the use of an easily accessible form in plain language (i.e. as opposed to an illegible ‘Terms and Conditions’ document), and this consent must be as easily withdrawn as it is given. Equally, ‘privacy’ now includes the concept of data minimisation – only the data absolutely necessary for the completion of duties – when processing customers’ personal details.
So, what does this mean for communication professionals? We have the responsibility to advise the business and educate departments such as IT and Legal to ensure that our privacy policies are thoroughly reviewed and updated. Notwithstanding, the main purpose of this should not be just to avoid the huge non-compliance fines. Ensuring that appropriate consent is given and respecting the personal data of our customers is the right thing to do from both an ethical and moral perspective.
I personally believe that we should take this opportunity to ‘do the right thing’ and build a better relationship with our stakeholders in the process. By embracing the principles of GDPR, our companies might find a new and powerful way to increase people’s trust and respect, feel more confident, and enhance our reputation in the marketplace.
(These are my own views and opinions on this matter. This article is not intended as legal or professional advice.)
PS. And here’s a thought-provoking GDPR case study on Santa’s data collection practices.
