In our previous blog we discussed what the GDPR is and why the EU is pushing through this new legislation. The question is how does this impact our event, tourism or hospitality business?
In short, we have to change how we do business, especially digitally. Marketing is perhaps one of the biggest challenges, because anyone can order any company to desist from using their data for any marketing purpose at any time. In addition, a legitimate reason to use peoples’ information for marketing purposes is harder to justify (not impossible), requiring customers to opt-in explicitly to provide their consent, which you have to have a record of (accountability). So how do you reach new prospects?
There is much debate on this, and some aspects of the GDPR (and the revised E-Privacy regulation currently in draft form) are unclear as is some guidance (although the UK ICO has taken a 1st stab), but in general what is safe to say today is that there will be a shift from targeted advertising (based on personal profiles obtained who knows how) towards content-related display ads – in other words a shift back towards old style marketing methods pre or early Internet, such as display ads, so location and ad space may demand a new premium, plus of course social media which is a broadcast medium already.
Why is this shift likely? Because, put simply you as a data controller have to ensure that any service you engage with that obtains or processes personal data has to be ‘GDPR ready’ – in other words you as a supplier of services or as a purchaser will have to ensure you have GDPR-related SLA’s (service level agreements) with your supply chain. You cannot use the excuse of “I did not know” or “this 3rd party did it, not me”. You are accountable for the service provisions you invoke in your supply chains. There is a lot more besides in terms of accountable responsibilities in the GDPR, but you get the general idea – if you have not started your GDPR preparations already you are almost too late – enforcement of these rules starts May 25th 2018. We will still be in the EU at that time so the UK ICO has confirmed the UK Government intent to be GDPR compliant with new laws coming into UK statute this Autumn.
How do we Define Trust and Privacy in a Digital Era?
Many lawyers will make your head swim with the new requirements of the GDPR. However, we found that going back to understand the basic principles of the GDPR helps to apply common sense to most issues, because the GDPR is just an interpretation of some key principles in law. We discussed in the previous blog that the intent of the GDPR is to raise trust in digital engagement, but how is that done? We at Krowdthink spent a long time researching and trying to simplify this and we came up with this simple diagram we call our Trust Pyramid: First understand you cannot obtain trust unless you seek to be trustworthy.
Obtaining trust is a function of mutual empowerment, giving customers transparency of the data you obtain, control over its use and a right of remedy if they don’t like what you have done (the GDPR does some but not all of remedy empowerment, you can go beyond it and you’ll be appreciated for it). Operationally we found seeking to minimise personal data (a requirement of Article 25 of the GDPR) is the most useful thing you can do as you don’t have to secure what you don’t have, you can more easily explain the data you do have and thus obtain consent for its use and your business model based on peoples’ personal data can be more readily comprehended and accepted by your customers.
This is the GDPR in a nutshell. But the GDPR also talks about privacy and peoples’ right to it – what exactly does that mean? This is in a way the easiest and hardest thing to do. However, start by recognizing every person’s perspective on privacy is personal, it varies and is also contextual to the use of the information shared. So that complicates matters – but we can simplify things massively by looking at the converse – when is my privacy breached? For that we can all agree on one definition – it’s when the data I shared is used for purposes other than that I understood at the time of exchange. This makes it clear that the onus is on you, the business, to be clear and concise about what data you take and what purpose it’s used for. If you don’t know – don’t do it, the GDPR will find you wanting.
So how do you achieve GDPR Compliance? The short answer, confusingly, is you cannot. Any charlatan that tells you they or their product can, should be avoided. The GDPR is legislation – law is different, it’s the interpretation of the legislation into case law, and as there has not been any yet we don’t know yet how compliance will be assessed. The EU’s guidance on how to do this is not even complete in several areas of the GDPR. However, you can make best efforts to be GDPR ready – and to do that understand what the GDPR is trying to do in terms of digital business culture change and seek to embrace its underlying principles. If you do this you’ll be on the right track – no one will fine you if you genuinely try to keep your customer data secure and empower them with privacy rights over it.
The rest is legal wrangling – necessary, but you can save yourself a lot of cost and effort if you take the time to understand the outcome objectives before you engage your lawyers. It is worth stating this though – it is no longer an IT department problem (as many managed data protection legislation in the past), this is a CxO issue – all your executives need to take a leadership position on GDPR preparations and the fundamental shift in business culture it is trying to foster, because we all access, process and use peoples’ personal data every day of our lives, and we all want it treated with respect, so every business dept lead has to drive this cultural shift through their people.
When in tourism, hospitality and at events we want our visitors and delegates to feel comfortable and happy – we need to apply those same thought processes to their comfort with what we are doing with their personal data.