As Europe’s General Data Protection Regulation forces companies worldwide to conform to stricter privacy standards, firms are struggling to determine how they can safely implement GDPR, protect user data from hackers, and be transparent in online advertising and communications to avoid a public backlash and/or regulatory penalty. Allie Bohm, Policy Counsel at Public Knowledge and a speaker at the August 2 Cynopsis Measurement & Data Conference, says brands need to think about their data policies “from the bottom up.”
But first, find a good lawyer. “Much of what it means to ‘implement GDPR’ is still being worked out both through regulation and through litigation in Europe, so how to safely implement GDPR is actually a challenging question,” says Bohm. “Where brands are collecting Europeans’ personal data, the best course of action would be to consult with a European lawyer who is an expert on this topic. The International Association of Privacy Professionals has a certification for ‘Information Privacy Professionals’ focused on Europe, and an attorney with this certification would be a good bet.”
As for protecting user data from hackers, “Brands should think about their data collection and retention policies practices from the bottom up, starting by asking what user data they collect,” advises Bohm. “Do they really need that user data? And, if so, for what purposes? How long do they need to retain the data to achieve those purposes? What would be the costs of losing user data – both in terms of financial cost and reputational cost, as well as any other costs? In light of the answers to those questions, brands should think about what they need to do to protect user data. At a minimum, brands should adhere to the latest, state of the art data security practices. But, in many instances, the best security policy is what’s known as ‘data minimization’ – not collecting or storing extraneous data in the first place. If brands do not have the data, they cannot lose the data and data thieves and other malicious actors seeking the data will have less of a reason to target the brands.”
As for avoiding regulatory penalty, it is important that brands are honest about what they do and do not do with user data. “The Federal Trade Commission has the authority to take enforcement action against companies that engage in unfair or deceptive practices,” points out Bohm. “A deceptive practice occurs when a company says that it is doing one thing, but actually does another. So, if a brand claims that it will delete user information upon a user’s request or that it does not collect certain data, it must, in fact, delete the data upon request or decline to collect the particular data, respectively. The FTC uses its unfairness authority much more sparingly, but to ensure compliance, companies should make sure to avoid actions that (a) cause (or are likely to cause) ‘substantial injury’ to users, (b) where there is no way the user could reasonably avoid the harm, and (c) there are no countervailing benefits of the action to the user.”
The Cynsiders column is a platform for industry leaders to reach out to colleagues, followers, and the public at large. In their own words and in targeted Q&As, columnists address breaking news, issues of the day, and the larger changes going on in the ever-evolving world of television, video and digital. Cynsiders columns live on Cynopsis’ main page and are promoted across all daily newsletters. We welcome readers’ comments, queries, and column ideas at Lynn@Cynopsis.com.