[This article is a 3-minute read]
As many countries around the globe turn to mandatory “stay at home” orders and lockdown decrees, our deepest concerns rightfully center around the health and safety of citizens, medical care providers and other essential personnel who keep the wheels of society turning. In addition to health, however, concerns also arise about how we will recover from the economic slowdown resulting from the novel coronavirus (COVID-19) pandemic. For example, see the recent BBC article: Coronavirus: A visual guide to the economic impact.
In response to social distancing rules, large numbers of people are buying merchandise, food and other items online. At the same time, the ongoing availability of electronic direct marketing (and accompanying AdTech) required to satisfy customer demand is at risk. While regulators are concerned with privacy issues, when consumers are already overwhelmed with other priorities, quickly finding relevant deals and core products is more important than one might think. Those in the industry are seeing a regulatory challenge coming at exactly the wrong time.
The fear of this regulatory threat is real and will have repercussions that go far outside the industry. But there is a solution that can help the industry to achieve compliance: Pseudonymisation. This can support both economic and business growth, and the protection of privacy rights. Let’s take a look at how.
What Do We Need?
A full recovery from the impact of the novel coronavirus (COVID-19) pandemic requires three things:
- Rapid developments in health technology and public health measures;
- A robust economy that can support salary generation to finance public services such as healthcare, education, and infrastructure; and
- A business environment that can continue to support consumer demand.
This complex issue has been partially illustrated in China’s early bounce-back from the novel coronavirus: even while factories are beginning to open again, overseas buyers (who are now in countries stricken with the disease) cannot meet their contracts to purchase.
Economies need workers and businesses to produce products, and businesses need consumers to purchase the products. Even if consumers have money to spend, without being able to easily find relevant products, purchases become less efficient. With such a huge economic downturn, any purchasing-chain efficiencies actually do matter.
This is where direct marketing and AdTech come in: they make the purchasing process more efficient for consumers in the rapidly-expanding online marketplace.
What is the Problem?
The problem is that direct marketing to customers, via AdTech and other means, is currently under regulatory challenge. Many in the industry fear that overzealous regulatory initiatives will have broader negative impacts, including dampening industry innovation and ultimately affecting consumers. A recent webinar involving over 700 senior privacy and data innovation professionals from around the globe brought up several key takeaways that illustrate these industry concerns:
- SOS Alert: Direct marketing to customers is being challenged, and innovative data uses are at risk.
- Consent, contract and anonymisation are no longer reliable for legally processing personal data under the GDPR. This makes it hard for personal data to be processed with complex algorithms, such as those in the AdTech space used to present relevant products to particular consumer groups.
- Instead of consent, contract and anonymisation, companies must consider Legitimate Interests as a legal basis for processing. This requires new technical controls that protect data when in use.
- No one wants to be left behind: immediate action is required.
Why Are Regulators Taking Such a Tough Stance?
The problem for regulators is that advancements in tracking and profiling individuals for direct marketing purposes have outpaced the establishment of measures that enable electronic commerce to be carried out in a privacy-respectful and lawful manner. Many companies do not yet have appropriate technical controls implemented (and regulators are skeptical as to whether these controls exist).
When an industry does not act in a way that respects privacy (especially within the greater context of the Cambridge Analytica and Facebook data scandals) regulators will react strictly.
In particular, the direct marketing and AdTech industries are “up in arms” about:
- A Dutch Data Protection Authority (AP) decision that has been widely reported as holding that commercial interests can never support Legitimate Interests as a lawful basis for data processing; and
- Concerns that the UK Data Protection Authority (ICO) is trying to do away with Legitimate Interests as a lawful basis for direct marketing in its Draft Code for Direct Marketing.
However, there is a solution.
How Can the Industry Move Forward?
The GDPR itself sets out that:
“[the] right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.”
This means that the balance can constantly shift: while regulators may have been skeptical in the past of the AdTech industry’s ability to protect privacy, with new technologies come new considerations. The reality is that new technologies can now support privacy-respectful and lawful direct marketing.
An upcoming webinar on the 16th of April, Legitimate Interest MicroSegmentationBased Direct Marketing, will discuss this new technology: GDPR-compliant Pseudonymisation. This embeds privacy policies in use-case-specific, privacy-enhanced versions of data to satisfy statutory and contractual requirements necessary for lawful commerce to continue. This webinar features Chris Docksey, the Honorary Director General of the European Data Protection Supervisor (EDPS), who will speak on the need for “proportionality” in balancing the fundamental rights of data protection on the one hand, and the right to conduct business on the other hand.
The webinar will also provide information on how flexible, technologically-enforced, Pseudonymisation-enabled controls can help to support economic growth while balancing data protection and business objectives as simultaneously achievable objectives.
What is the Solution?
- First, Anonos believes that the Dutch Data Protection Authority decision has been widely misinterpreted, due to people reading only a Google Translate version of the one-page summary of the ruling versus the full 40+ page ruling. To tackle this, Anonos has made an unofficial English translation available.
- Anonos believes the proper interpretation of the AP decision and the ICO Draft Code is that organisations must prove the existence of technical and organisational safeguards for data subject privacy: safeguards that can ensure demonstrable accountability. To allow AdTech and direct marketing industries to continue to operate, these actions must be taken immediately.
- Organisations must take action now to implement technical and organisational safeguards (such as Pseudonymisation) to ensure demonstrable, technically enforced, accountability, so that lawful commerce through direct marketing and AdTech remains possible.
- Learn more at the upcoming April 16th Webinar on Legitimate Interests Microsegmentation-based Direct Marketing.
Industries that deliver goods and services more efficiently through the supply chain are already important to support economic growth, and will be desperately needed in the coming months and years. Direct marketing and AdTech are no exception.
With the clear threat to the industry’s existence, regulators need to consider whether technological advancements have been made to the point where businesses can prove that they protect personal data, allowing individual rights and business interests to co-exist. Anonos believes that these advancements are already here, with technical and organisational safeguards such as GDPR-compliant Pseudonymisation.
April 16th Webinar: Legitimate Interests Microsegmentation-based Direct Marketing
Benefits and Advantages:
- Data subjects can be presented with advertising offers in their capacity as members of small, dynamically-changing subgroups called microsegments. In this way, data subjects are served advertisements based on “what” they are interested in, without having to reveal “who” they are.
- Organisations can reach groups of people represented by microsegments in which they are interested. At any time, data subjects can opt out of being included in further outreach based on microsegments.
- Compliant direct marketing campaigns can scale at a global level.
- The data supply chain becomes more accountable and transparent.
- Technical controls support data minimization and purpose limitation, while reducing the scope of unnecessary data sharing, and alleviating privacy-related risks to data subjects.
- Data subject consent serves as the "centerpiece" of the puzzle, with other "pieces" (including, but not limited to, Legitimate Interests as a legal basis for processing data) applied where relevant to allow for lawful processing.
- A bridge is built between consent-based processing and Legitimate Interests-based processing by leveraging GDPR principles of Pseudonymisation and Data Protection by Design and by Default to technically enforce data access control and access boundaries.
- A win-win combination of technical controls can allow data controllers to process data, prove how they did it, and protect individual privacy rights, while achieving legitimate business objectives in an ethical and lawful manner.
- Auditable controls can be embedded into the process, so that compliance can be demonstrated.
I personally invite you to register to participate in the Legitimate Interests Microsegmentation-based Direct Marketing webinar on April 16th. Learn more about new technologies that can now support privacy-respectful and lawful direct marketing, to allow the purchasing process to become more efficient for both businesses and consumers, without infringing privacy rights.
This article originally appeared in LinkedIn. All trademarks are the property of their respective owners. All rights reserved by the respective owners.
CLICK TO VIEW CURRENT NEWS