Focusing on legislation or business? That’s the question

 In Privacy

Bas ter Burg is managing partner of Add to Favorites, a company that guides organizations in effective communication with customers through channels such as email. Additionally, ter Burg advises organizations about privacy laws. “There is a huge demand for people who understand both theory and practice. From practice I know: almost no one has got their ducks in a row. Most marketers just don’t find privacy law sexy and fear losing revenue.


Need for experts
“The past fifteen years, I have dedicated myself to thoroughly understanding everything that has to do with privacy laws. For example, the Personal Data Protection Act which is now the GDPR, or the Telecommunications Act which will soon become the ePrivacy Regulation. These laws are closely related to an important field of Add to Favorites, email marketing. Purely out of personal interest, I took a deep dive into the field of privacy laws. In addition, there was a demand for practical experts. Legal experts generally are far too theoretical, meaning they don’t always understand the marketer, and vice versa.”

A hundred different answers
“I have noticed many businesses don’t provide their marketers with guidelines on how to interpret the GDPR. The GDPR was settled in workgroups and behind closed doors, but not with the people who have to work with this matter on a daily basis. Marketers have had to seek information elsewhere. Consequently, if you ask a hundred people the same question on privacy laws, you will get equally as many different answers and interpretations. My advice therefore was and still is to organize awareness sessions from your own interpretation of the law. This interpretation should be your guideline, not the one from competitors. You are after all responsible only for your own business, not someone else’s.”

Boring
“The GDPR is a complication marketers did not need. Privacy laws are boring, everything but sexy; they are a burden. Specifically, there are many things that are not allowed.  But this attitude is not fit for a professional. Particularly, when you are specialized in email marketing or digital advertising, you have to at least know how to test your cases. A smarter attitude would be knowing what is allowed.”

Keep your promises
“Another issue I frequently come across is the fact that many companies have explained their privacy policies in a privacy statement and think the work is done, but they often forget they also need to solidify these processes. A perfect example is the email organizations have massively been sending in the past few weeks, with the announcement they have adjusted their privacy policy. This policy makes promises that now have to be kept. For example, the GDPR states that everyone has the right to see their data, which is perfectly copied into most companies’ privacy policies. But what happens when a customer actually requests to see their data, to delete their data, or to transport it to a different supplier? Do you send these details to the customer in an email? And how do you know this customer is who they say they are?”

In practice
“In daily practice, one will often come across the following issue: when a marketer has an acute problem and is working with preferred suppliers who don’t have time to help out, they will look for a party who is able to solve the problem. Marketers are very pragmatic when it comes to this. However, the marketer may not realize there might not (yet) be a data processing agreement between their own company and the other supplier party. Personal information will be shared via email, and thus counts as a data breach. Officially, procurement is responsible for these agreements between the different parties, however, they will not be aware of the above situation since procurement becomes relevant only for bigger assignments.”

Simple checklist
“Marketers should therefore know exactly what details to assess, before sharing data with a party that is not a preferred supplier. For example, check if this party is Dutch, whether there is a policy for securely providing data (aka, not via email), and if this party hosts data within the EU. With a simple checklist, you have these questions tackled in a matter of minutes. At a later stage, you can formalize business, once there is more time.”

Future challenges
“I am curious how we will respond to assignments that aren’t GDPR compliant. Suppose we are approached by a large (existing) customer asking: “I have a large file of addresses, but I’m not sure how I got it. Can you send an email to all these addresses?” Your answer to this question should obviously be no, but what if this customer threatens to transfer to a competitor? This is a dilemma many marketers, organizations and suppliers struggle with because it touches upon their raison d’être. The issue is thus legislation versus commercial interest. This was already the case but has now become more and more urgent. I wonder if we will all be tough enough to say no. I hope we will.”

Conclusion
“Organizations should determine how they want to interpret and implement the law. At most you will have to argue with the Data Protection Authority whether your way is the right way. In any case, if you lack a privacy policy, you are one step behind. If you have drawn up a protocol, but it could be more solid, you will get away with a warning and have some time to tidy things up before you have to pay up. But having no arrangements is killing for your business.”

Recent Posts