So GDPR is one of the hottest trending terms in Google right now of interest to those of us doing things with data that might in any way touch on Europeans. Assuming, that is, that we intend to keep doing it after 25 May 2018.
As with any regulatory initiative, there’s just no two ways about it– you have to figure out how your business is going to comply. For GDPR this is true of just about any company that has customers or other stakeholders who are “natural persons” (i.e. not corporations)… It’s doubly-true for technology vendors who sell products into the data racket, especially those used to work with customer data.
Companies are mostly coming at this in one of three ways:
The Wrong Way — panic. a popular posture, among those who are now racing to learn to spell GDPR.
Don’t panic. Panic is not a good look for you. And besides, if you do you might be tempted to kid yourself that somehow this doesn’t apply to you, or that it’s somebody else’s problem.
It applies to you, in principle (which is what matters in the law), if anyone from Europe ever comes to your website or uses your app. Even if that person from Europe is not in Europe when they interact with you.
You can stick your head in the sand and take your chances, but violations are a big deal– 20M Euro fine big. And your customers will look at you like these two over on the right.
So that’s probably not how you want to do this.
That leads us to the really wrong way: passive-aggressive, minimal, even malicious compliance.
Marshawn Lynch (an American footballer, if you’re someone who doesn’t follow) may have embodied the credo “I’m just here so I don’t get fined” in NFL-mandated pre-Super Bowl press “availabilities” a few years ago. And he rubbed a lot of people the wrong way doing it. But he did it from a place of deep authenticity, which made it admirable, and from a position of actually delivering Beast Mode for nine years on the field.
“Beast Mode” for GDPR would be having all this worked out by January 2018, so if you’re reading this now, you’re not Marshawn Lynch. And more importantly, taking this attitude to customers’ data privacy internally will set you up to do things that a) undermine your interests and your relationship with your customers’ b) can get you fined.
So that leaves us the right way.
Take the attitude that GDPR exists for a reason. Your customers have right and reason to be distrustful of you, and many companies like you. There have been a lot of bad actors out there who have broken trust with customers by making distasteful, dangerous or even criminal use of private data.The Right Way: Now, this is going to sound like so many platitudes, but… it’s true, it’ll work. Or at least it will play better than the other two alternatives.
- Tracking your web activities, your mobile device usage (including location), your social media presences, your purchase habits, your medical history, all manner of things–
- Profiling them based on that data, and then acting on any resulting predictions in ways that materially affect someone’s finances, employment or legal status
- Engaging in discriminatory practices (such as only showing job ads to people in a certain age range or baking our own impulses into a data engine across
- Or just being massively negligent in the processing and storage of such data, to the point where most of the adult population of the US has their private data stolen (I’m looking at YOU, Equifax).and the company can’t even figure out exactly whose data was stolen or how much detail the thieves got. And given that, realize that trust with personal data must be earned.
The rollout of GDPR is a crisis but an opportunity, for all brands big and small: a chance to acknowledge that in this moment, your customers have legitimate worries about their personal data, and to distinguish yourself in their eyes by driving home the message that your data handling practices reflect a core commitment to your customer, rather than your own fear of liability.
So while GDPR will be a disruption, and in the near term the goal is to get as compliant as possible, ask yourself as you formulate and implement your response, “how can I use this disruption to my normal processes to make sure my people are honest and treat customers honestly and fairly?”
- Familiarize yourself with the rights of the data subject (your customers), and really think through what those mean in your industry, and in all the ways that you use customer data to market your service and to deliver it. (Lawyers can advise here, but it really takes the stakeholders who understand, control and operate your products and your marketing practices to do this review.)
- Think about what it can mean from a product offering or service offering standpoint. Think about an experience that helps drive home the idea that your customers’ data, regardless of who controls or processes it at various stages, is being processed only in line with their consent and only to help you meet their needs better. (And hold yourself to that standard.)
- Show them what you have collected, from where, and for what purpose. Make it easy to discover those disclosures, and to access features like reviewing all their data, in a form that they can understand..
- Show them that they can withdraw their consent at any time– you will forget them, correct their info, or stop using the data, at their say so. Make this attitude normal.
In the short term it takes a lot of effort, and some of it may seem counter-intuitive. You may feel like you’re not exploiting your data to the fullest. But isn’t that word “exploit” part of the problem? Just have some empathy for your customers, and ask yourself what will really make them come back. Make the move to a new model of privacy protection for your customers a win-win, and over time your relationship with customers will be stronger and the wins will multiply.
Now get at it.