According to Elizabeth Denham from the Information Commissioner’s Office (ICO) – the UK’s independent authority, currently involved in the investigation into Cambridge Analytica – each of us has a data relationship with around 100 different organisations. Among the many aims of the ICO, one of their primal goals is to make sure that these relationships remain safe for UK citizens who, in an exchange of services, trust these service providers with their sensitive data.
Although we all seem to enjoy the benefits of personalised marketing, whether it is in the form of meaningful content, targeted advertising or a seamless customer experience, users are waking up to the fact that access to their entire browsing history and other online activities can be the source of potentially harmful information if it ends up in the wrong hands.
As more and more people expect to be asked for clear consent to give up their data, it’s time marketers understand the rules of the game before they fire up their customer data platforms.
Here’s what you need to know to make sure your customers’ personal information is safe.
Building confidence for your customers
If you are planning to use your customers’ data, the best way to comply with the GDPR is to inform your customers about your marketing purposes – long before they start filling your databases with their information. Processing data fairly and lawfully is the first principle of the GDPR. This step will also include having an open conversation about any third party data providers involved.
Building confidence in your practices for your customers is important, but equally necessary is to know how to maintain it. Try to avoid doing anything that your customers might not reasonably expect, for example, creating an insecure environment where data breaches might occur.
Personal information and safe data sharing
From selling data on a commercial basis to sharing it between public authorities and analytical firms, one of the benefits it has is aggregating even more information about your customers. But on deciding to join this data partnership, it is important you fully understand the potential consequences of data sharing.
Whether you choose to partner with third party vendors or an analytical firm, it is important you consider what the recipient organisation’s involvement might be on the data security of your customers. Using powerful customer data platforms means merging different pieces of information from various sources to create a single, comprehensive view of an individual customer. Although it might initially sound like a dream come true for any marketer, it is easy to see how this can get out of hand and turn into intrusive profiling.
In the past, combining information from different social media sites with other virtual media and location history has led to significant data breaches. An infamous case is that of US supermarket chain Target, which was able to provide pregnant teenagers with coupons for baby clothes long before they had told their parents about their growing family.
Sharing data with other firms means having access to more data, but that comes at a price. If your business is ready to take some extra risks, it is important you have the answers to a few crucial questions: is the sharing justified; are your customers fully aware of your intentions; do you have the power to share it?
Encryption and anonymisation
Anonymisation of your customer data is not compulsory, but often essential if you want to make sure you comply with the GDPR. The first step here would be to understand if your organisation stores personal data. By definition, data is considered non-personal and thus non-identifiable if it does not relate to any (living) identity/individual. But if there is even a single piece of information that could allow anyone with access to this data to identify an individual, whether it is an address, a telephone number, a Facebook account, etc, it becomes personal data.
Storing personal data can be legitimate, such as when a company is providing medical services. However, when there is no objective need for the use of personal data – meaning the services you provide don’t require it – anonymisation should be considered.
Obtaining consensual agreement from your users
It’s common marketing knowledge that personal data can only be processed with clear, freely given consent. However, the new GDPR regulations raise the bar to a higher standard for consent, rendering the previous one-size-fits-all approaches obsolete.
In other words, indirect consent – permission that a user gives to third parties – will no longer be a valid justification for targeting users with content that they did not specifically express an interest in. What’s more, if you are sharing your data with other analytical firms, you will have to name them and request specific permission to do so. Lastly, you will need to keep records for every consent you are given, as data regulators have a right to ask for them at any time.
Personal information and consent for big data analytics
The very opaque nature of using AI in marketing analysis makes it hard to obtain valid and meaningful consent in the first place. Companies that are being accused of unlawful processing are usually those that process large amounts of personal information without having consent for it to be used for purposes unrelated to those triggered at the moment of data gathering.
However, big data analysis is crucial if we want to live more productive and easier lives. Consider Transport for London (TfL) – every day they collect as much as 31 million data points about Londoners’ journeys, including 20 million ticketing systems known as ‘taps’ for more informed transport services. Companies that rely on automated marketing and CRMs are urged to balance their own interests against those of the individuals in order to minimise the danger of data misuse.
Have an opinion on this article? Please join in the discussion: the GMA is a community of data driven marketers and YOUR opinion counts.