Is the media industry taking sufficient action to meet the requirements GDPR? According to research by HubSpot fairly late in the day fewer than half of marketers in a range of EU countries were aware of GDPR at all. And GDPR, of course, doesn’t only apply to companies based in the EU – it also applies to all organisations outside the EU that are responsible for managing data pertaining to EU citizens. A newspaper in the U.S. that sells subscriptions to people living in France must still follow the rules.
The legislation is far-reaching and somewhat cumbersome in its presentation. But implementing it is vital, ultimately, to ensuring legitimacy. Seven rules are key:
1. Explain how data will be used
GDPR is intended to ensure transparency between individuals and the companies that collect and manage their personal data. For example, organisations who collect user information via a website form, allowing users to access content or interact with other users only after they have created an account, must clearly communicate how the data will be used. If an organisation plans to track a person’s activity on its website, the user must provide consent.
2. “Opt-out” consent is out
It is of huge importance to note that “opt-out consent” is not permitted under GDPR. Companies can no longer send information to users via email based on a default consent setting. And in order to use a person’s data for any new purpose, the organisation must again acquire consent. It is essential to be transparent not only when collecting personal data, but to remain so throughout the entire process, including managing user data after the company/consumer relationship has ended.
The are many hidden pitfalls for media companies to avoid. Sales and marketing teams have to be very careful when initiating any campaign, from sending out newsletters and cold calling to displaying paid ads. IT departments must ensure a secure and reliable data storage environment and that the tools required for managing data by both company employees and by customers themselves are in place.
Typically, media companies have software with complicated architecture and functionality. Often their systems are old and difficult to update with modern technologies. Integration with third-party solutions or consolidation following a merger may be a further challenge for developers.
3. Don’t collect unnecessary data
Media organisations must be careful to collect only data that is required for the task at hand, as any information that is determined to be unnecessary violates GDPR stipulations.
4. Don’t share without asking
Furthermore, if a company wants to share personal data with another organisation in any manner, they must first acquire consent from the individual.
5. Ensure safe storage
All data collected must be stored in accordance with the provisions of the regulations, which state that companies must use “appropriate technical and organisational security measures” to protect personal data against unauthorised processing and accidental loss, disclosure, access, destruction, or alteration. To meet these requirements, data encryption or segregation from other information may be necessary. The specifics of these standards differ depending on the nature of the data being collected and how that information will be used, so media companies must know how GDPR specifically relates to their practices and adjust them accordingly.
6. Don’t hoard
Personal data may only be retained until the purpose of collection is completed. Media companies must have a data retention policy in place outlining the length of time they will hold on to the personal information of its users.
Many publishers, music and video streaming services, social networks and so on renewed their policies and refreshed consents a few months ago, going to great lengths to reassess digital assets and business processes. However, some big names, including the Chicago Tribune, Los Angeles Times and New York Daily News, chose not to bother and simply blocked EU visitors to avoid any potential problems.
There is always a risk of intentional or unintentional data-hoarding especially within big companies with complicated structures where huge amounts of user data are processed daily. If a company has affordable storage, it follows that they may keep some stale data. Marketing and sales teams can be unwilling to delete users’ data – after all, subscription and advertising are the foremost monetisation models for media companies.
7. Make sure there’s an eraser in your pencil box
Consumers have the right to request the deletion of their data at any time, with the data controller confirming removal from its systems and from the systems of any other companies who were processing the data on its behalf. Be sure that you are in a position to do this.
For media companies, the run up to the GDPR deadline was a drain on time and resources. At first glance, most companies are geared up and follow all GDPR guidelines, although further scrutiny is vital to ensure that this is the case across the board. Meanwhile, some customers are still at risk of facing the abuse and misuse of their personal data and companies of receiving swingeing fines. The first GDPR-led legal cases have been already filed against Facebook and Google.
By Sergey Bludov, Senior Vice President, DataArt
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/