Join David Booth for an in-depth discussion in this video Designing and defaulting to privacy, part of GDPR for Marketers.
- Privacy by design is a concept that has existed for quite some time and that the GDPR formally requires. It basically means that whenever you're building something that has the potential to come into contact with personal data, you default to the necessary precautions and safeguards from the very first iteration. This means that when you're releasing a new app or redesigning your website, deploying a new customer relationship management system, adopting and implementing a new technology, planning a new campaign or anything else, you'll need to ensure that privacy is part of that very first step.
While there aren't necessarily any technical specifications or explicit directives laid out, the GDPR's Article 25 does make it clear that you'll need to architect your systems to make sure they're as secure and compliant as possible right from the start and not as a bandaid of an afterthought. Specifically, the language talks about taking technical and organizational measures like psuedonymization in order to implement data protection principles like data minimization.
This means a few things for the average digital marketer. First, when designing and launching anything new, you need to ensure that you build the safeguarding of any personal data and we've talked about what that means with respect to data security, encryption of any IDs, anonymization or pseudonymization, protecting your various collections, storage, and processing systems, things like that. But it also has some philosophical implications. In the past, marketers widely tried to balance getting all the data they could from someone with outright rejection.
And often, a lot of that data was simply stored away somewhere in case it might become useful later, meaning there wasn't an actual plan for using that data. It was just collected because it could be. Under GDPR, this is no longer an option. Both the overarching theme of collecting only the data you need as well as the granular consent requirements dictate that you'll need to tell users exactly what you plan on doing with exactly what data. And that means when designing new marketing assets, campaigns and other initiatives, you won't be able to process any more data than is necessary to accomplish those tasks.
Last, privacy by design can be an opportunity to ease some of the other elements around the GDPR that we have discussed. If you're designing new systems to allow for transparency, access and even updating of personal data, you'll be one step closer to complying with data subject rights and consent management. And if you've already adopted a privacy by design approach, then the good news is that there's not likely to be a tremendous amount of additional work for you to do. And by taking these steps towards respecting data privacy, you're probably gaining some trust and goodwill from those you interact with.
Remember, this whole concept predates the GDPR. It's just that now, the GDPR makes it the law. If you haven't, then a good place to start is working with the appropriate teams and resources inside and around your organization to develop checklists and audit processes for both your own use and to keep your vendors and other data processors in check. Putting privacy at the beginning of any new endeavor will not only reduce future costs and ensure compliance here, but it will also ensure that the data subjects you interact with build and expand trust in your organization and what you're doing with the data that they let you access.
- Define “personal data.”
- Name three data subject rights provided by GDPR.
- Recall the steps that need to be taken to comply with GDPR.
- Explain “privacy by design.”
- Identify the responsibilities of a data protection officer.
- Recognize the steps required to audit your data and processes.