The new era of privacy & data protection has changed the rules of engagement for businesses who use personal information as part of their marketing outreach program. Thanks mainly to the General Data Protection Regulations (GDPR) in the EU and UK, we have shifted from a “we own their data” mentality to a “they own their data and if we wish to use it to further our business we must be far more respectful”. Yet there remains a few significant “blind spots” in the way businesses collect and use personal data.
The one we will unpack today is the concept of PURPOSE LIMITATION. It seems to continue to evade the changes in policies and procedures required under the GDPR and all other similar data protection & privacy laws. Article 5 of the GDPR states:
“Personal data shall be: a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);”
So let’s take a closer look. The words, “shall be” does not sounds like a mild request to me. This is the law and violating it has severe penalties, risk to the brand aside. (see our recent blog post on the GDPR Enforcement Update)
Next is “Lawful, fairness and transparency” which means when data is collected for a stated purpose, it is only to be used for that stated purpose.
I recently gave my cell phone number to Facebook so I could “easily recover account access should I lose my password”. Shortly after that I started receiving text notifications about what my friends are posting on Facebook. Clearly “lawful, fairness and transparency” is not alive and well at Facebook. And “purpose limitations” at Facebook appears to mean “whatever they want to do with your data so they can make more money”.
Well, it may take time, but these laws will change this kind of behaviour even if public opinion and brand reputation doesn’t. As I said in a recent update on the GDPR Enforcement, being bit by a single dog hurts. Lots of bites in a short period of time can be fatal. Some people think the fines are a simply a nuisance – a”cost of doing business”, for many of these multi billion dollar companies but they will add up if they continue to ignore the laws and fail to change their data processing practices.
Not long ago, I was a fan of Facebook. I liked the connection I had to my daughter and her children who live far away from me on the other coast. I liked the updates from cousins and friends that I hadn’t talked to in awhile.
But Cambridge Analytica and Facebook changed all that. When I saw what was being done with people’s personal data without their knowledge or consent I was flabbergasted that we as a business community had let it get that far out of control. And more recently watching the outright refusal of Facebook to change and respect fairness and transparency when using people’s personal data – that has made me an outspoken critic of their entire brand and what it stands for. If I see Facebook listed on someone’s resume, I immediately question the individual’s ethics and empathy. I most certainly question their judgement in having worked for such a mercenary organization.
Remember Article 5.1b – “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;”?
That means you cannot stretch those purpose limitations to suit your needs or profits. In the case above, all Facebook had to do was notify me that they have a new service and ask me if I would like to add it to my account? A clear, grown up, adult choice to which I could have said yes or no. But clearly Facebook would reach their quarterly profits and shareholder expectations a lot sooner if they just skip that step and stretch the purpose limitations for the hundreds of millions of phone numbers they collected for another reason. Most people won’t even notice.
To some this may sound like a small thing. To others it is violating the laws, being disrespectful and mercenary, and literally abusing my personal information for their profits, taking away my personal right to privacy. It is a very slippery slope – just ask Facebook.
Section 5.1c) deals with data minimization – another “strange concept” that appears to be “new” to organizations. For the past 20 years there has been a mindset that says, “collect everything you can and we will figure out what to do with it later. More data is better.” You can hear the lack of any purpose notification, let alone a purpose limitation in that statement. Choice was not even visible to businesses collecting data because the name of the game was collect as much data as you can and use it anyway you want!
The GDPR clearly states, an organization must only collect data that is “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimization)”. With our collective addiction to collecting and abusing personal data, these are causing significant changes to our current data processing practices, policies and procedures.
Article 5.1.d) holds the collector accountable for the accuracy of that data. “accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);”. Have you ever tried to correct the credit bureau data? They had attributed an address to my account that I had never lived at. I contacted them trying to update the record and make it accurate – but it was “not possible”. Suddenly it became possible because a new data protection law was passed. Yet again, old practices die hard.
During the past 2 years of the pandemic, data breaches and ransomware on a very large scale has become a daily activity. Article 5.1.f) requires companies to secure that data at all times, whether the data is being processed or simply stored (at rest). Once again, old habits are hard to break and most organizations have to re-think their entire data processing practices. In fact, this has become a significant category of business risk for all organizations. The damage to a brand can take years to recover from and some never do. Trust is a key factor in the purchase decisions and respecting individual’s privacy and protecting their data is becoming a dominant trust issue.
The GDPR has 99 Articles and 173 Recitals. All we addressed in this post is a single Article (Article 5 Principles relating to processing of personal data) . An important one, but let that sink in for a moment. To date many of the fines issued under the GDPR have been related to Article 5 – using data beyond it’s original purpose limitation without additional consent, collecting data not required and of course, failing to protect the data you chose to collect and process.
If you have questions about where the laws are heading and what you need to do about it, please reach out to privacy@newportthomson.com and we’ll do our best to provide clear and simple responses. We recommend re-thinking your data processing practices in order to rebuild trust with your consumer and not wait until the laws changes. Thanks to the EU Parliament and the GDPR, change is in the air.