Personal data and personalization—the journey so far

Since its publication in May 2016, privacy professionals, law firms, technology companies, marketers, and others have flooded the Internet with broad, sweeping summaries of what the General Data Protection Regulation (GDPR) will mean for companies, and how scared we should all be about the new fines for non-compliance.

And it’s true. The data protection landscape will look vastly different this time next year.
But despite all the noise, all the long after-work presentations, and uninspiring blog posts, very little attention has been given to how these rules actually interact with specific activities, or what possible examples of compliance might look like.

Yes, we know the GDPR is important, we know it’s going to be a big change for many companies, but can we please have some practical guidance on how to approach compliance?!

So, in December I looked at how the GDPR is likely to impact personalization, and began to explore how companies may choose to respond.

 

What is the GDPR?

As you’ve probably guessed, I don’t think the world needs another long summary of what the GDPR is, or what it means generally for companies. The ICO has a great summary, which is a good starting point if you’re arriving at this fresh. I also go over some key definitions, core principles, legal bases for processing data and the rights of data subjects—along with examples—in the webinar we recently delivered. 

 

What does the GDPR mean for personalization?

Firstly, let’s debunk a few myths.

There has been a huge amount of scaremongering around the GDPR. Commentators (many of whom are trying to sell you some kind of compliance tool) have dramatically pit the GDPR against data-driven technologies - the unstoppable force of the digital age crashing into the immovable wall of EU regulation, bureaucracy and red tape.

You’ve probably seen headlines like ‘GDPR spells the end’ or ‘brands beware’. 

This could not be further from the truth. The GDPR has absolutely not been drafted to stop companies from taking advantage of technology. In fact, the GDPR embraces technology and provides a much needed update to the woefully outdated Data Protection Directive.

Crucially, activities such as personalization are expressly permitted under the GDPR, provided they are conducted in a GDPR-compliant way.

Previous data protection laws forced companies to look at new technologies under the lens of an old law, drafted well before the internet as we know it came into existence. Data protection compliance became an exercise in metaphor and analogy, leaving many companies unsure about which shade of grey applied to their practices - what was negotiable, and what was nailed on.

Personalization, as one example, was probably allowed, but there was never any express statement within the law confirming this.

By contrast, the GDPR expressly allows companies to personalize on their websites. This is achieved through the introduction of “profiling” as a distinct data processing practice:

Profiling is “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.

Personalization means different things to different people, but it’s difficult to see how any form of digital personalization could be carried out without some form of “profiling” as defined within the GDPR.

Recital 72 of the GDPR confirms that profiling (and by extension personalization) is lawful:

“Profiling is subject to the rules of this Regulation governing the processing of personal data, such as the legal grounds for processing or data protection principles.”

Personalization was not forbidden before, but now it is expressly permitted. This is a massive step forward.

 

What now for personalization?

Moving forward, and as the GDPR comes into force, organizations will have to look at personalization (and every other activity involving processing personal data) in light of the GDPR.

Companies should consider:

  1. How does the activity interact with the data protection principles?
  2. What is your lawful basis for processing?
  3. Will you have to make accommodations for the additional rights for data subjects under the GDPR?
  4. Are third parties involved? Have you got the right agreements in place?
  5. How can you demonstrate compliance?

That seems like a lot - and it is, but reviewing all of your data processing activities early will allow you to get ready for the GDPR and demonstrate compliance before enforcement begins on the 25th May 2018.

Have a look at our recent webinar for practical examples on each of these points, and reach out to us if you have any specific questions about your own program, or how Qubit can help.

You can also register to the blog to make sure you get the next in the series - where I will look at a great question raised on the webinar, about consent as a legal basis for personalization.