Simplifying the GDPR with Tim Walters of The Content Advisory
Preparedness and understanding of the GDPR are paramount at this point and in an effort to educate, Kentico held a free event on September 26th, at the Bishopsgate Institute in London, and headlining the event with his presentation GDPR: a Business Design Approach was Tim Walters, Principal Strategist and Privacy Lead at The Content Advisory, Founding Partner of Digital Clarity Group and Contributing Analyst for the Content Marketing Institute.
As many of you know, the GDPR has somehow become the Big Bad Wolf that on May 25, 2018, will blow the house down on how we currently process the personal data of those in the EU. It’s an unfortunate connotation for a regulation that merely has the best interest of its pertinent residents at heart. Tim highlighted this fact with his point early on in his presentation, stating the GDPR “creates an opportunity for brands [to act] as personal data shepherds, rather than data predators”.
Here we are scared of the GDPR and we are the ones who are the wolves however not without our reasons. Personal data is conceivably the life force through the very heart of modern marketing practices, to name just one area access to personal information is invaluable but, one could hardly argue with the fundamental prerogative of the GDPR, as Tim so mindfully explained: “’People should have control over their own data.’ [These eight words (paraphrased from Recital 7), neatly summarize the goal of the GDPR. And] the rest of the text, the remaining 250 odd pages are basically laying out what has to happen in order to turn that ‘should’ into a ‘will’. People will have, you will behave in such a way that people do have control over their own personal data.”
The simplest and perhaps the most impactful way Tim brought this notion across, was with the idea of borrowing the data vs owning it, as the sole proprietors of the personal data we so love should be the individual themselves. That we should not be hunting and feasting on personal data, we should be treating it with the due care and respect we would if we were borrowing it as a valued commodity from a person, and if that thought process is employed, GDPR compliance will get a whole lot easier to understand and put into effect.
This insight however, was just a drop in the bucket when I think about how thoroughly my own thought process and perception of the GDPR was upended in the best kind of way after engaging with what Tim had to say and the advice he has for those at every level of an organization.
Why the Time is Right
To start, there was the sobering realization Tim brought to light regarding what was missing in the current thought process around data: “The GDPR puts personal back into the notion of personal data, because we’ve begun to think that personal data is just digital exhaust, it’s just there in the air so why not collect it. Or you can vacuum up personal data when someone comes to your site because after all, they are on your site. Or you can follow them around the web by placing cookies and charting their browsing experiences regardless of where they go”
It has for far too long followed the ‘finders keepers’ mentality, with ownership only existing for those who collect and house it but, I believe there is no intention to exactly villainize anyone for how personal data is currently used because frankly, the regulations in place, as Tim pointed out, have not caught up to the rapid ascent of the modern digital world: “The GDPR replaces the EU's Directive 95. As the name indicates, the Directive was formulated in 1995 -- before the web as we know it today, before social media, before the digitalization of every aspect of our daily lives, and before data, therefore personal data, became something that could be copied and distributed around the world in microseconds.”
If you, like many, have been hoping the GDPR would offer an absolute definition on this, you will not find it. The definition of personal data within the GDPR, is purposefully ambiguous and one reason for this, as Tim alluded, was that if they gave an exhaustive list of what counts as personal data, someone would find a way to track an individual not on the list and could then absolve themselves of the parameters of the GDPR.
This is just one example of how he showed this regulation bucks the trend of being ‘to the letter’ like many of its kind, avoiding the faulty reasoning that someone could find a loophole or grey area to exploit in any part and by avoiding prescription, the GDPR in a way, 'future-proofs' itself.
Tim expertly conveyed if organizations were looking for a checklist to GDPR compliance, they won’t find it as it ventures to avoid prescription: “Business people would like to approach [the EU regulation] in a checklist kind of way. ‘just let tell me what I have to do so I can get on with my business’ and my point is, I don’t think you’re going to get satisfaction if you approach the regulation in that way”.
Personally I can appreciate this artful nature of the GDPR, I see avoiding prescription as a nod to the psychological understanding of those who could resist the regulation, either because they felt they didn’t need to comply or they didn’t want to have their creativity stifled by such a black and white list. It not only heads them off before they can even begin to think of ways to outsmart it but encourages their creativity in compliance.
Instead Tim describes the GDPR as being “a principles based regulation. You must follow the principle, must follow the aims, must follow the spirit of the law, regardless of what this or that formulation within the regulation states”
“Gift from the Future”
This inexactness is just one of the ways it shows the regulators took a positive turn by wanting it to “fuel a new creative wave within the EU and for any companies that are involved in the EU. They want you to figure out new, clever, inventive ways of doing business within the confines of the regulation”, as Tim said, suggesting people should think more about how they can adapt to this new landscape and what it can do for their business, vs what it can do to it:
“The GDPR -- that is, the text of that document, some 261 pages in English -- is like a gift from the future. It tells you quite precisely -- not with 100% accuracy, but quite precisely -- what the business environment is going to look like, how it is going to change after May 25th, 2018. And so, it gives you very very good guidance on how you need to adapt to fit into that new environment, in order to survive in that environment and hopefully not only to survive but to thrive in that environment.”
Tim is exactly right in saying it is a “gift from the future”. We’d all be hard-pressed to think of any other shift in the digital world as big as the GDPR that essentially came with a guidebook but in addition, the GDPR won’t be the last of its kind. The new environment won’t be limited to the EU as Tim emphasized many other data regulations similar to the GDPR are being formulated for the personal information of citizens in many other parts of the world, even being developed per city, rather than per country making compliance all the more complicated for those who are unprepared worldwide.
"There Are No Problems, Only Opporunities"
I’ll be the first to say I love data, and namely personal data, but I think as a marketer you have to at least have some appreciation for it and as I’ve often said, if asked to identify my choice metaphorical space to think, I would know exactly what that is. Analytics on one side, theoretical consumer behavior on the other and that space between the abstract and concrete, where I am using one to understand, manipulate and predict the other, is where I like to be. But I know, none of that would be possible without data and taking that out of the equation, would make my job as a marketer almost obsolete, which makes the GDPR my problem or rather, my responsibility.
I didn’t use that anecdote to expose a (perhaps too deep) thought process on marketing, or passively say I think the GDPR is a problem, in fact, I now think it is an absolutely great thing. I used that divulgence to highlight one of the biggest points Tim made, that the GDPR is not just the IT or compliance teams' ‘problem’ as many think of it as, it is everyone’s responsibility and further than that, can be their opportunity and should be seen that way.
Marketing Engagement Gets a Boost
Marketers are one group Tim highlighted as having a massive advantage in the wake of the GDPR. Trust-based engagement for one, would be ripe for the picking and was brought into focus as Tim referenced Simon Carroll’s thought: “When someone grants permission they are acting consciously, becoming an active participant rather than a passive source of data to be pillaged. Permission equals engagement. And engagement is the ultimate goal here, isn’t it?”
During our interview, I inquired with Tim on his advice to marketers, as they are one cohort of an organization that may feel like they’re in a safety bubble away from the headache of the GDPR when in reality, its premise massively effects them. Tim expanded on this by saying: “People should be in control of their own personal data and, imagine what happens, how marketing is transformed if marketers take that proposition really seriously and really embrace it and really ensure their marketing practices reflect the respect for peoples personal data and the fact that they ought to remain in control of their personal data. Yes that’s going to disrupt a lot of our current marketing practices that treat personal data, with, to put it mildly a cavalier attitude. But, once you do figure out how to institute those processes and begin by data protection by design and other strategies then you’re in the position to create genuinely trust based relationships with customers and prospects.”
Now I don’t count myself as part of the staggering statistic Tim let us in on of the “84% of small and medium enterprises and 43% of c-suite executives in larger enterprises were not even aware of the GDPR regulations”, but I still wouldn’t say I am an expert by any means. However, even though I am very newly wading into the foray of data compliance, through Tim’s presentation, I was astounded at how quickly I understood the fundamental elements of the GDPR that had previously eluded me and how urgently I thought how all of those people in that statistic need to engage in some GDPR education much the same. That rock they’re living under may be cozy, but it won’t be when the rent of that space skyrockets as of May 25th, 2018.
Compassionately speaking, it’s easy to see why people are afraid, or resistant to know the GDPR as they should. The tidal wave that is the GDPR demands a revolution as it will wipe out most current methods of personal data management pertaining to residents of the EU. This leaves organizations with two choices: take a higher position, use the foresight available to adapt and flourish in this new environment or, keep your head down and run from it until it catches up to you and your only option is to figure out how to survive with your head already under water.