Facebook leak, GDPR & why should we care?
We asked a few of our customers in Feb 2018- Are you ready for GDPR? The most common response was- what is it?
Fast forward to April 2018 and all of a sudden there has been a deluge of GDPR related webinars in our inboxes from all sorts of companies asking “Are you ready for GDPR?”. Its as if the bogeyman from the EU is here and we are all headed towards a disaster. It reminded us of circa 1999/2000 when Y2K was all the rage and companies prepared for all kinds of calamitous circumstances.
After the Facebook incident, do we who run tech companies not feel that
protecting the privacy of our customer’s data is a natural thing to do? Should we not look at this as something that is good for the business versus milking the confusion?
The Facebook data privacy leak is a precursor. Listening to Mr Zuckerberg’s testimony, it’s clear that he is taking a page out of the GDPR laws that come into effect in Europe and will be extending for the user base in the US too. We think it’s the right thing to and all companies who do business should do the same.
Salesforce has invested the resources in helping companies get compliant, but there is work that will need to be done to implement privacy policies to take advantage of the salesforce investment in the ”Individual Object”.
There are lots of articles on the internet that talk about the do’s and don’t of
GDPR, but this post is about boiling down the essence without going into too much fear mongering. You can also listen to our podcast on GDPR that goes more in depth.
Understand your contact data relationships
Contact data is at the heart of the compliance. The responsibility to handle
contact data is broken down into two roles: Controller and Processor. You are the controller for contacts doing business directly with you, you or your
downstream partners are the processors if they are engaged with the contact to do something on your behalf. There could be times you are the controller for some contacts and processor for others.
If you use Salesforce you are the controller; Salesforce is a processor along with any third-party services that you may use. In this case, you as the controller will have to delete an existing contacts record when the contact exercises their “right to be forgotten”. Salesforce is on the hook to enable the delete button for you and ensuring its indeed deleted from all of Salesforce data centres.
Since you could be a controller or a processor you need to get clear on what role you are playing in every relationship. You will need to have an addendum in your contact data defining if you are the controller or processor for each contact and flag them as such.
Simulate “Chaos Gorilla”
Chaos Gorilla is a term that we have borrowed from Netflix. It’s about
simulating an outage. Companies should invest in simulating requests from EU citizens asking you to reveal, delete and correct their data. You should have defined process and policies ready around the same and figure out a way to automate those requests. It’s an area where we need to think self-serve. The fines are extensive, and no company should assume immunity from a data breach-think Facebook. Hire a data protection officer if you are a company over 250 people. In the case of a data breach, this person is on the hook to communicate with impacted contacts within 72 hrs. And let them know that their data was compromised. Regulators will want to know that you did everything possible to protect the data and to communicate proactively in the case of a breach.
The Business value of GDPR
We mentioned earlier that this is not about fear. It’s about doing the right
thing. There is a bright side to getting compliant; we get to reach back to all
the contacts in our database and get them current. It forces us to have a
regular connection with the contacts and be relevant. Companies have invested in buying lists, and Salesforce has a sprawl of redundant contacts. Marketing to these contacts is bringing down the overall ROI of running campaigns to contacts out of context. As we build customer-centric companies, GDPR practices are a good thing. It enshrines the principle that people are masters of their data and they have a choice in how you engage with them.
Life after the Facebook leak.
This week some lawmakers called for a privacy bill of rights. Earlier this week, three senators introduced privacy legislation that would require user consent to collect and share data. Rep. Raul Ruiz, a Democrat from California, on Wednesday called for the creation of a digital consumer protection agency to oversee tech companies.
The changes are coming for all of us- EU or not in the EU. At fullcast, we
believe it’s for the better, and we hope everyone will embrace this move in the right spirit.
Link to GDPR Podcast