Castlebridge and Least Authority team up to reinvent Privacy Reviews
Castlebridge announces another exciting partnership in the Data Protection by Design space
Earlier this week I wrote about how organisations should start gearing up for the challenges and opportunities of the forthcoming Data Protection Regulation by looking at how well they are complying with current principles, and in particular what they can learn from the mistakes of others as set out in the Annual Reports of the Data Protection Commissioner (if in Ireland) or the relevant Data Protection Authorities (e.g. the ICO in the UK).
This should be approached as a “quality systems” problem – with an emphasis on continuous improvement and making incremental changes over time rather than trying to push for a “big bang” fix. The latter approach won’t work.
In parallel with that line of thinking, I’ve been in deep strategy mode in relation to Castlebridge Associates and how our approach to marketing and communicating might need to evolve to meet the challenges of today and the opportunities of tomorrow. This was in part trigged by my involvement in a number of audits, green field projects, and reviews of the Data Protection Regulation over the past few months. In particular questions that have arisen about the scope and extent of some of the provisions ofthe Regulation had me assessing emarketing in the context of SI336 (which enacts the ePrivacy Directive in Ireland).
The ePrivacy Directive is often referred to as the Cookies Directive. Of course, the requirement for consent to be obtained when writing cookies to the devices of customers unless that cookie is essential to the service the customer is seeking to avail of is a well known aspect of that legislation. However the rules don’t apply to just web sites. Tracking of email marketing using cookies, web beacons or similar techniques is covered by the regulations. So too would be the use of Google Analytics or other analytics tools to track the actions of people after they’ve opened your email.
But these metrics are very important for the evaluation of email marketing. They help marketers refine their offerings and messages to reduce the “irritation factor”. But they require the processing of personal data, they require the systematic monitoring of identifiable people, and they often use technologies and techniques that require consent now.
It could be argued that anyone getting email marketing in this day and age should expect that there would be some level of tracking. However, the use of cookies would probably require consent (it’s not essential to the person getting or reading the email, rather it is of interest to the sender) so the “everyone should expect it” excuse won’t fly. Also any analytics use over and above what might be “reasonably expected” (such as tracking how a recipient interacts with your website) would probably require some up front disclosure to ensure you don’t fall foul of the “Fair Obtaining/Fair Processing” requirements under the Data Protection Acts and Directive 95/46/EC
So… what is a marketer to do?
The key here is to adopt a balanced approach and to
Ultimately email tracking is an imperfect technology, even with cookies and web beacons. But a little bit of thought may help you make it more effective and more compliant.
The recently published Data Protection Regulation introduces a number of requirements for Data Controllers and Data Processors where they are engaged in “systematic monitoring” of data subjects. Among the requirements is the need to have a Data Protection Officer. Of course, “systematic monitoring” is not defined in the Regulation. However, open tracking, click through tracking, and further analytics is potentially within the scope of this concept.
Therefore, it may be that each organisation engaging in electronic marketing using tracking will need to have a Data Protection Officer, or it may be that service providers providing the platforms for that processing and tracking will require a DPO. Castlebridge Associates recommends that, regardless of the legislation, someone needs to be in charge of keeping the organisation honest.
However, the answer to the question has potential implications for the resourcing and management of Data Protection functions in organisations that use electronic marketing. The thing is… that answer isn’t available yet. And the need to comply with the Regulation has not yet manifested, regardless of the answer. But it would be intelligent at this stage for an organisation to nominate someone to be the consience of the organisation and develop skills in Data Protection Governance and start applying them to the organisation.
Just in case.
Well, in pragmatic terms it means that organisations who are using electronic marketing should balance their efforts between getting their house in order for the requirements of today (which we’ve had here since July 2011) and putting in place structures and governance models to meet the challenges of tomorrow (the Data Protection Regulation).
Yes, the new Regulation has some significant changes proposed. But the key word is proposed. The focus of change in organisations at this point should be on the broad brush strokes of the Regulation. The fine detail that needs to be dealt with today is contained in the Data Protection Acts, (i.e. the current Data Protection Directive), and the ePrivacy Regulations.
Facing into these challenges with an eye to the broad scope of the Regulation will put organisations in a stronger position to make incremental changes as needed to meet the requirements of the final Data Protection Regulation when it is agreed, signed off, and in implementation. This will allow organisation to evolve their approach rather than having to jump in a crisis.
Castlebridge announces another exciting partnership in the Data Protection by Design space
Castlebridge announces partnership with leading Data Governance technology provider, Collibra
The second edition of “Data Ethics” by Daragh O Brien and Katherine O’Keefe will be published by Kogan Page on the 3rd of June 2023. Coming 5 years after the...