As many countries around the world enforce “stay at home” orders and lockdown decrees due to the coronavirus (COVID-19) pandemic, our attention is rightly focused on the health and safety of citizens, medical care providers and other essential personnel. However, in addition to healthcare, concerns are also understandably being raised around how the global economy will recover from the impact of COVID-19.
In response to social distancing rules, large numbers of people are buying groceries and other essential items online. At the same time, the ongoing availability of electronic direct marketing (and accompanying AdTech) required to satisfy customer demand is at risk.
Regulators are naturally concerned with privacy issues, but when consumers are already overwhelmed with other priorities, quickly finding relevant deals and core products is perhaps more important than one might think. Those in the direct marketing and AdTech industry are seeing a regulatory challenge coming at exactly the wrong time.
The fear of this regulatory threat is real, and it will have far-reaching repercussions. Many in the industry fear that overzealous regulatory initiatives will have broader negative impacts, including dampening industry innovation and ultimately affecting consumers. A recent webinar involving over 700 senior privacy and data innovation professionals from around the globe brought up several key takeaways that illustrate these industry concerns:
- SOS Alert: Direct marketing to customers is being challenged, and innovative data uses are at risk
- Consent, contract and anonymisation are no longer reliable for legally processing personal data under the GDPR. This makes it hard for personal data to be processed with complex algorithms, such as those in the AdTech space used to present relevant products to particular consumer groups
- Instead of consent, contract and anonymisation, companies must consider Legitimate Interests as a lawful basis for processing. This requires new technical controls that protect data when in use
- No one wants to be left behind: immediate action is required
The challenge for regulators is that advancements in tracking and profiling individuals for direct marketing purposes have outpaced the establishment of measures enabling electronic commerce to be conducted in a privacy-respectful and lawful manner.
Many companies do not yet have these appropriate technical controls implemented – and regulators are often skeptical as to whether these controls currently exist. Meanwhile, in the UK, the direct marketing and AdTech industries are particularly concerned that the Information Commissioner’s Office (ICO) is trying to do away with Legitimate Interests as a lawful basis for direct marketing in its Draft Code for Direct Marketing.
However, there is a solution that can help the industry achieve compliance, supporting wider economic growth, while also protecting consumers’ privacy: Pseudonymisation. GDPR-compliant Pseudonymisation embeds privacy policies in use-case-specific, privacy-enhanced versions of data to satisfy statutory and contractual requirements necessary for lawful commerce to continue.
The GDPR itself sets out that “[the] right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.”
This means that the balance can constantly shift. While regulators may have been skeptical in the past about the AdTech industry’s ability to protect privacy, with new technologies come new considerations. The reality is that new Pseudonymisation technology can now support privacy-respectful and lawful direct marketing, allowing the protection of individual privacy rights to co-exist alongside business and industry interests.
Now is the time for organisations to implement technical and organisational safeguards such as GDPR-compliant Pseudonymisation to ensure demonstrable, technically enforced, accountability, so that lawful commerce through direct marketing and AdTech remains possible.
By Gary LaFever, CEO & General Counsel, Anonos
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/