What Digital Marketers Need to Know About GDPR

By Joanne Sweeney 6th October 2017 Data Privacy, Digital Marketing, JS Talks Digital Podcast Leave a comment

JSB Talks Digital Podcast #68

JSB Talks Digital is a weekly digital marketing and social media podcast hosted by author, strategist, consultant, speaker and trainer Joanne Sweeney-Burke. Each Friday Joanne shares her digital marketing and social media insights from her work as CEO of Digital Training Institute.

SUBSCRIBE HERE

In this episode of JSB Talks Digital, I’m focusing on GDPR, the most important change in data privacy regulation in 20 years.

Coming up in the podcast:

In social media news:
- You can now cross-post Insta Stories to Facebook Stories;
- Instagram adds polls in Stories; and
- Google reveals a suite of new Pixel products, prepared to be wow’ed!
I interview Derek O’Neill, Global Security Lead at Nitro Software
Ask JSB
In shout-outs: Three frequently asked questions about GDPR
In JSB’s column – How to collect data with data protection in mind
Find out what privacy tool saved my working week

Listen to this week’s podcast:

LISTEN: What Digital Marketers Need to Know About GDPR #JSBTalksDigital Click To Tweet

Social Media News

You can now cross-post Insta Stories to Facebook Stories

Things just keep heating up in the world of social media! News this week that we can now cross post our Insta Stories to Facebook is sure to shake up the world of dark social.

Speaking to Techcrunch, Facebook said:

“You now have the option to share your Instagram Stories to your Facebook Stories. We’re always working to make it easier to share any moment with the people who matter to you.”

While you can’t do the reverse, posting Facebook Stories to Instagram Stories, Facebook hasn’t ruled out building that in the future.

Instagram adds polls in Stories

Instagram has added a new engagement feature to Stories. We can now a conducting polls. Not only that, we can make creative use of stickers with live results from your followers as they participate.

Nice work Instagram! Jump over to @jsbgrams right now to see my poll on Stories.

Google reveals a suite of new Pixel products, prepared to be wow’ed!

It was a really big week for Google as it revealed a series of second generation products known as Pixel, at a launch event in San Francisco.

Here’s the shopping list of what was unveiled by company CEO Sundar Pichai.

Two smartphones
Three smart speakers
A laptop
A stylus
An upgraded virtual reality headset
A pair of wireless earbuds that can translate a conversation in real-time.

What’s the common denominator for all these products? They all connect to Google Assistant, the artificial intelligent helper!

Interview | Derek O’Neill, Nitro

In today’s show I interview Derek O’Neill, Global Security Lead at Nitro Software.

I caught up with Derek at their offices in Dublin and I asked him about GDPR and the implications for organisations of all sizes.

Derek is also a member of the Information Systems Audit and Control Association and former chair of the Irish Information Security Forum.

Tune in to listen to interview

My favourite quote from our chat

Learn about GDPR and the implications of it for organisations of all sizes #JSBTalksDigital Click To Tweet

Read transcript of interview with Derek below

Q1: The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years What is GDPR in simple terms?

It is the EU’s (European Commission) attempt to unify data protection within the EU through a single law – the General Data Protection Regulation (GDPR).

A single EU wide law, applicable to all 28 member states, which aims to build trust within the region and bring data protection up to date in light of new technological developments such as cloud, social and mobile.

Before GDPR, European countries had different approaches and interpretations to data protection making it difficult to demonstrate compliance – leading to confusion.

The hope is that a single harmonized Data Protection Regulation will go a long way to resolve these issues, making it easier for companies and increased confidence for citizen.

Q2: Why has it been introduced?

The European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.

The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

Q3: What constitutes personal data?

According to the European Commission: “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”

The regulation does not apply to the processing of personal data for national security activities or law enforcement; however, the data protection reform package includes a separate Data Protection Directive for the police and criminal justice sector that provides robust rules on personal data exchanges at national, European and international level.

Q4: In digital marketing, we rely on the personal data collected from different devices to build buyer personas, create tailor-made customer journeys and provide a personalised customer experience. How will GDPR affect how we currently do business?

It will affect how businesses do business, and in theory, it should make the experience for customers “better” in that they will have more clearly defined rights & expectations.

For businesses, the way personal data is collected will have to be considered in the context of Privacy by Design & by Default.

Data protection by Design and by Default (Article 25) requires that data protection is designed into the development of business processes for products and services. This requires that privacy settings must be set at a high level by default, and that technical and procedural measures should be taken care by the controller in order to make sure that the processing, throughout the whole processing lifecycle, complies with the regulation.

For customers it will enforce “rights” that people always had to an extent.

Right of Access to all PI
Right of Modification
Right to be forgotten
Right of restriction of usage
Right of no Automated decisions nor profiling

Q5: If anyone is any doubt as to the importance of GDPR, then they should perhaps be reminded of recent US financial services example where customer data was lost. Tell us about that.

Well, you’re probably thinking of Equifax there, where almost half of all US citizens were involved in a data breach that covered names, addresses, social security numbers and in some cases credit card numbers and other personal, financial details.

All told 143 Million people involved. Not the BIGGEST hack ever… that would be 1 Billion Yahoo records between 2014 and 2016, but certainly the most sensitive big breach in recent times.

US Credit Bureau – Credit Ratings Service
Harvest & sell financial data & credit ratings
“Hacked” in May / June 2017
143 Million Records leaked / stolen
Names, Addresses, SSN, Drivers License #
… everything you need for Identity Theft
If GDPR was in force today … (4% of 3.14 Billion == 125,600000)

I suppose the first thing to say is the data wasn’t lost – it was stolen, and when it was discovered it was handled badly. The breach was made possible because core software wasn’t kept patched or updated and known flaws in the software were exploited by hackers; we haven’t seen the real fallout yet, but it’s likely to be significant.

Already, several C level executives have “retired”, including the Chief Information Officer and Chief Security Officer.

A bunch (at least 25) of class action suits have been taken on behalf of US citizens, congressional investigations will follow and probably more lawsuits.

According to respected US technology lawyer Mark Grossman, It’s a real possibility that Equifax will NOT the fallout from this breach.

Q6: What are the penalties for breach of the GDPR?

a warning in writing in cases of first and non-intentional non-compliance
regular periodic data protection audits
a fine up to 10 M EUR or up to 2% of the annual worldwide turnover (Article 83, Paragraph 4])
a fine up to 20 M EUR or up to 4% of the annual worldwide turnover of the preceding financial (Article 83, Paragraph 5 & 6)

Q7: As we continue to harvest data in the Digital Age, do you think there will be any more intelligent ways to safeguard against loss or theft of data? Will artificial intelligence play any role?

There’s no silver bullet here.

AI on it’s own will not help. In the case of Equifax, the root cause was a failure to apply good practice and maintain software currency. In other words, they didn’t apply software patches.

It’s not rocket science… for years IT people have known that patching, patching and patching are essential to good Information Security practices.

So before we think about high tech AI solutions, we need to understand why patching is not applied. Everyone knows it is best practice, but some very large & successful organisations clearly don’t do it.

Q8: What advice would you give to companies and organisations who haven’t made any plans to prepare for the introduction of GDPR in May 2018. What do they need to do?

Don’t IGNORE it – it’s not going to go away

Well, if you deal in personal data, or your business handles personal data of customers you need to be sure that you can observe the law.

That’s what it boils down to. GDPR will become law in less than 240 days, so the sooner you prepare, the better prepared you will be.

Larger organisations which have Privacy staff, or InfoSec staff will be better placed, and should already be planning & preparing for May 2018.

Larger organisations may be OBLIGED to appoint a DPO – Data Protection Officer, if they have more than 250 employees, or the core business is processing information on data subjects

Smaller orgs which may NOT have suitable staff or skills need to at least THINK about GDPR

My advice would be for anyone who is interested to take a look at the IBEC Guides on GDPR – I’m not affiliated, but I have read these guides and they strike me as clear & straightforward advice.

http://www.ibec.ie – GDPR guides

Q9: There is a 2-year post-adoption grace period, before the GDPR will become fully enforceable throughout the European Union, can companies view this as extra time to prepare for it?

Let’s be very clear on this, GDPR is in force right now.

Officially, the regulation entered into force 20 days after its publication in the Official Journal of the European Union on 4 May 2016.

Its provisions will be directly applicable in all member states two years after this date.

It shall apply from 25 May 2018.

So, there is no more grace period. We are approaching the date when the existing GDPR law becomes enforceable.

http://www.gdprcountdownclock.com/

240 days including weekends and bank holidays.

Q10: The ‘right to be forgotten’ is part of the GDPR legislation, will this have a major bearing for search engines and social networks?

Yes.

Google, for example, offer you the ability to manage your account with them, and delete certain data.

Social networks also offer varying levels of “forgetfulness”.

It’s important to remember that GDPR allows for obligations of the “Controller” where the legitimate interests of the controller is overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

There is a constant tension between the ability to do increasing amounts of business online and the right to privacy, with consumer data being properly safeguarded.

GDPR attempts to define where that balance should be, identifying a number of rights for citizens and a number of responsibilities that organisations must adhere to.

No silver bullet and it’s not a once off either. This is a fundamental change to how PII is managed from this point on.

Find out more about GDPR on the official EU website: http://www.eugdpr.org

Shout-Outs: Three FAQs About GDPR

In this part of the show I give shout-outs to individuals, organisations or brands that are remarkable online and worth talking about.

But this week I’m sharing three frequently asked questions about GDPR.

1. When is GDPR coming into effect?

The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation takes next May 2018.

*************

2. In light of an uncertain ‘Brexit’, should UK Data Protection Officers still continue with GDPR planning and preparation?

If you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR, irrespective as to whether or not you the UK retains the GDPR post-Brexit. If your activities are limited to the UK, then the position (after the initial exit period) is much less clear. The UK Government has indicated it will implement an equivalent or alternative legal mechanisms.

*************

3. Who does the GDPR affect?

The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

Ask JSB

Ask JSB brings the voices of my listeners onto the show.

I’m always hunting for new ideas for my podcast, blog and blog and I find the best inspiration comes from questions from my community.

If you want to hear your voice on JSB Talks Digital simply log on to www.digitaltraining.ie/askjsb and leave me your voicemail.

This week’s question is from Marie Clare Byard of NOW Media:

“So, what do we do with business cards when GDPR comes in? Can we add them to our database and send emails with news and marketing material?”

Tune in to listen to my answer.

JSB’s Column | Collecting digital data with data protection in mind

In today’s column, I discuss how to collect digital data with data protection in mind.

Data is the currency of digital marketers. But in a more data-conscious world we need to be mindful of how we collect and use customer and stakeholder information.

To make sure your customer’s or user’s agreement will stand up legally, use a clickwrap method. A clickwrap method is where your customer or user has to click “I Agree” to your Privacy Policy in some way. This could be when they sign up to receive your marketing messages or when they make a purchase on your website.

This is where he customer or user is required to tick the box to agree to the Terms of Service and Privacy Policy of The Weather Channel before they can receive the newsletter.

So, make sure you have a Privacy Policy and Terms of Service in place which are linkable for your prospect to read.

Here’s an example of what a clickwrap method looks like:

Another way to protect customer privacy when you collect information is to use security mechanisms such as SSL. SSL means that the connection between your website and the user’s browser is secure when data is transmitted. Ensure that any websites you use with your customers have SSL enabled.

Another potential security issue is the storage of customer data. A popular way for many online businesses and marketing companies to store data is to use cloud storage providers. To reassure your customers that you are keeping their data safe, always choose a reputable provider.

It’s good practice to use service provides in your own jurisdiction because the data privacy laws are so varied worldwide.

So in summary, set up a Privacy Policy on your website
Require your customers or website users to agree to it when you collect information from them
Once you’ve collected the data, keep it with a reputable cloud storage provider
Protect yourself from liability in the case of data loss

In a data-conscious world we need to be mindful of how we collect and use customer information Click To Tweet

Social Media Tool of the Week: Nord VPN

With this episode of JSB Talks Digital being about privacy, it’s appropriate that the social media tool that saved my working week helps me stay safe online while on the move.

NordVPN is a provider of a Virtual Private Network which gives you privacy while surfing online using publicly available wifi.

Did you know that you can’t be safe online without a VPN?

I invested 3.29 per month for two years for the service! It’s a steal – check out their features and their special offer now at nordvpn.com. And I don’t have an affiliate with this company. Simply a JSB recommendation.

I love feedback

I’d love to know what you think about this episode. So please get in touch by commenting below or tweet me @tweetsbyJSB or send me a snap to @jsbsnaps.

Listen: JSB Talks Digital | Episode #68

I would like to thank Eoghan Murphy aka The Galway Gamer for producing my podcast series and to Flirt FM on the campus of NUI, Galway where I am based for the use of their studio.