Jun 20, 2022
Data privacy has become a major concern for companies, especially now that they have access to huge amounts of customer data. Unfortunately, recent data scandals have trained an uncomfortable spotlight on how companies manage their data and respect customers privacy. When companies fail to adequately protect the integrity and privacy of their customer data, it can lead to serious reputational damage, as well as legal and financial sanctions.
Understandably, many companies have been concerned about their GDPR obligations in recent years. However, even if your company operates in markets where GDPR doesn’t apply, you still need to be aware of your obligations to protect customer data. Mining customer data offers great opportunities for marketers to develop highly personalized digital marketing campaigns, but marketers still need to apply best practices for data protection.
Below, we will cover the key principles of data privacy - wherever you are operating in the world, and outline 10 guidelines for marketers to keep in mind as they consider the ongoing state of data privacy.
European governments were coming under pressure to address data protection vulnerabilities and in 2016 launched the General Data Protection Regulation (GDPR), replacing the previous Data Protection Directive.
This GDPR has important implications for digital marketers, because it outlines how to collect, store, and use any user or customer data that they collect.
Pro tip: Use this handy checklist to help you develop a marketing strategy that’s GDPR-compliant.
Note: GDPR applies to companies operating in the EU. Other jurisdictions have different data protection guidelines, so be sure you understand your obligations if marketing in those areas. For example, if your company retains data on residents of California, you must comply with the California Consumer Privacy Act (CCPA), which came into effect on January 1, 2020.
Regardless of where your company markets to and which regulations you must comply with, it’s best practice to always apply these six general data protection principles.
Let’s look more closely at each of these.
When companies process user data, it must be done in a lawful, fair, and transparent manner. The processing is lawful only if one of the following applies:
Consent is a very important principle when it comes to data privacy. According to the GDPR, content must be “freely given, specific, informed, and unambiguous”. When collecting data, companies should:
You cannot assume that informed consent is implied through the customers’ interactions. You must give them the option to opt-in to your data collection processes.
Even when users consent to their data being used, the data must only be kept for specified, explicit and legitimate purposes. In particular, the data should be used only for the purposes informed to the user. For example, if you tell the user that you’re collecting data for research purposes, you cannot then use that data for marketing purposes.
Remember, just because you have the data doesn’t mean that you can use it for any purpose. You cannot use the data in any way that is incompatible with the informed purpose of the data.
In some cases, you may wish to use the data for more than its original purpose. If you suspect this new purpose is incompatible with the original purpose, you should obtain new consent to use the data for the new purpose.
Example
Suppose a bank collects customer data about their banking preferences and behaviors.
After checking the customer data, the bank realizes that some customers would benefit from better loan or savings offerings from the bank. In this case, the data use is compatible with the original purpose, so no further consent is necessary.
The bank then enters into a partnership with an insurance company. It believes some of its clients would benefit from insurance and want to pass on the customer data to the insurance company. In this case, the data use is incompatible with the original purpose, so further consent is necessary.
Remember the key concept that just because you have the data doesn’t mean you can do whatever you like with it.
When processing personal data, your use of the data should be:
This applies to both collecting the data and sharing the data. Customers should be informed about what their data will be used for and be assured that the data won’t be used for further purposes (without their additional consent). From the context of the data collection, the customers should be able to come to reasonable expectations about how the data will and won’t be used.
When collecting data, you need to ensure that the data remains accurate and up to date. If you discover that you have inaccurate personal data (or the data is accidentally altered), you must either correct or erase the data. This isn’t just a matter of respecting customers’ privacy. If your customer data is inaccurate or out of date, you cannot make accurate decisions based on that data.
Personal data may only be kept for as long as necessary to carry out the particular purpose.
Ideally, your company will have a data retention policy and will share this with customers so that they know to what extent their data will be used. The policy should outline:
When you collect personal data, you have a duty to protect it. After all, personal data belongs to the data subject, not you! Personal data should be processed in a manner that ensures appropriate security of that data.
In particular, you need to use appropriate technical or organization measures to protect against:
This issue has become even more pressing with the growing trend towards remote working. Companies must ensure that remote workers understand their obligations regarding data protection. Remote workers should follow company policies regarding device use, email, cloud and network access, and creation, storage, and disposal of paper records.
Accountability
It’s not enough for companies to have a good understanding of data privacy principles. They need to be accountable for implementing them.
Companies can demonstrate this accountability in several ways:
Lawful basis
Obviously, your use of personal data must be lawful. How can you ensure this?
According to GDPR, the lawful processing of personal data requires at least one (though sometimes several) of the following:
Bear in mind that the more of these bases you rely on, the easier it will be for you to demonstrate that you are complying with data processing best practices.
Opportunity
Complying with all these data privacy regulations and best practices may seem like a huge burden for companies. And it does definitely require careful management and sustained effort.
However, there are also opportunities around data collection and privacy. Many users are willing to share their personal data in exchange for a more personalized customer experience, as seen in this snapshot from McKinsey research:
If you demonstrate that you are using customer data in the best interests of customers, you will strengthen the bond of trust with your customers. They will be willing to share more data with you and, in return, you can deliver a richer customer experience that ultimately leads to more sales.
Clearly, data privacy has serious implications for how digital marketers develop and implement their strategies. When using personal data, always be transparent about why you’re collecting it and how you’re using it. The data belongs to the customers, so respect every customer. And behave ethically at all times. The more you can demonstrate that you’re putting the data to good use, the easier it will be to build a trust-based relationship with your customers.
Here’s a list of ten guidelines to help you ensure that your data privacy policies are as robust and effective as possible: