Individuals’ Rights Under GDPR
Nathan: What are the individuals’ rights in all this?
David: Yeah, that’s a great question. Because under the GDPR, the individual has the right to be informed, to be told, ‘I got your information from here, and this is what I’m going to do with it, and this is what I’m not going to do with it.’ The right of access, so you as the individual can get a hold of us and say, ‘Hey, my information’s not right, it’s incorrect, it’s inaccurate, and I need you to change that, based on the profile that you have about me.’ The right to recertification, meaning the same thing ‒ you could actually change or adjust based on what you know. The right to erasure: ‘Hey, Act-On please erase all these pieces of information about me,’ or, ‘Mr. and Mrs. Customer, please erase all this information about me,’ and how are you going to do that?
You have the right to restrict processing, meaning ‘Hey, I’d like to get emails from you, but I don’t want to get SMS.’ Or, ‘I’d like to get emails, but I don’t want to get texts’ … or whatever the case may be. And then the right to restrict data portability, meaning I go and take my data from company A and move it to company B. You could, in theory, have customers who leave on a Friday at 5 p.m. and then go to another company Monday at 8 a.m. And, technically, they should be up and running within that environment.
And then finally the right to object: ‘This is right, this is wrong, this is indifferent.’ And the right to relate to automated decision-making and profiling, meaning, as we are in the digital channel now with things like artificial intelligence, that you could start building profiles on people and subjects regardless of whether they know about that or not. You have to be very up front in terms of how you disclose that information and how you build those profiles.
What I envision is companies will be overcompensating for consent. You think about how you engage in a digital relationship today – disclosure, consent, and all these things that we take somewhat for granted. But the point is that I think you’re going to see a lot of profile pages and onboarding pages, where you’ll have no pre-checked boxes, but you’ll allow people to be able to say, ‘I would like to select this or deselect that.’ Pre-checked boxes on the GDPR is a complete no-no. It’s totally illegal.
And what I would be doing now as a marketer is, in your preparation efforts, when this thing goes live in May of next year, there’s going to be no grace period. Every piece of data you have on your file come May of 2018 will have to be compliant the day it goes live. So, you should start thinking now about how you either re-permission or get to the point where you start to disclose different things about the individuals as you get ready for the GDPR implementation. So, re-permission your lists, get your consent in order, start talking about disclosures, and that kind of thing. And so that’s what you should start embracing today.
Learning More About GDPR
Nathan: We’re talking about this now just so that people have an opportunity to start getting in compliance or putting in those mechanisms to be compliant, ourselves as well as anyone else. Is there a checklist?
David: Full disclosure, we’re not in a position where we could provide legal advice or guidance. But some of the data protection authorities within the EU are more vocal and have been more communicative than others. And a great example of a DPA that has put a lot of information out there is the ICO, the Information Commissioner’s Office of the UK.
If you go to their website, they have a ton of information in terms of what you should be thinking about, how you get yourself ready, and what your obligations are going to be next year.
Nathan: So, this is something to get the entire team discussing, from marketing to compliance, to legal and engineering, correct?
David: Absolutely. Because everyone’s going to interpret it differently. I mean the documentation is hundreds of pages deep. It’s extremely cumbersome. But it’s really a common-sense approach to a digital relationship. And it’s not just about the individual now. It’s also about how you do business with your vendors and how you hold them accountable for things. In some respects, it’s a framework for a common-sense digital approach for not only marketing, but also for opting out of certain things. It’s definitely something that you should be thinking about now. And if you haven’t, then you are a little bit behind the 8-ball.
Act-On will be producing webinars and datasheets and other content about GDPR throughout the next year. You can also email David if you have a question: firstname.lastname@example.org.