When you woke up on the 25th of May 2018, you didn’t wake up to endless WhatsApp notifications, but to endless emails from companies saying they have “updated their privacy policy”. It was the day General Data Protection Regulation (GDPR) went live in the EU. Brands did everything they could to convey their GDPR compliances and seek consent. From “We have changed our privacy policy…”, to “this is for your own good”. Some also said, “We obviously know you’re drowning in GDPR emails…but”. Funny how regulations designed to cut down unwanted emails created havoc in inboxes more than ever.
It’s been roughly eight months since then but the GDPR trickle-down effect still continues. The reality of the regulation is still a mixed bag, but what’s more to come?
What’s the hype around GDPR?
The hype around GDPR has become stronger because individuals now have stronger rights over their personal data. The definition of personal data according to the GDPR explicitly includes location data, IP addresses, and identifiers such as the genetic, mental, economic, cultural or social identity of a person. The new rights include the right to be forgotten, the right to data portability, the right to object to profiling. These simply mean that consumer consent is a mandate to process data freely. That’s huge!
So, who’s been affected?
According to the European Commission, the law applies to a company which processes personal data, regardless of where the data is processed. It also applies to a company established outside the EU offering goods/services — whether paid or for free — monitoring the consumer behavior in the EU. All such companies needed to comply, as well as Europe-headquartered MNCs such as Nestlé, Unilever, Nokia, Heineken, and others. Many of these have backend operations or development centers in India, which access data of global customers. These, too, have to fallen in line, along with Indian IT companies and BPOs that service European clients.
Sales Promotions and Contests
Under marketing, Sales Promotions and Contests are key areas affected by GDPR. The GDPR doesn’t give specific rules that a marketer must adhere to in these areas. Instead, it says that one must keep the data for no longer than necessary for the purpose for which it is processed. The brands and agencies have a duty to protect their customers’ data privacy regardless of whether they plan to contact them again in order to avoid complaints and fines.
The process of data managing involves personal data obtained from individual entries, storing it on one’s server, selecting a winner at random from the data via an auditor, using it to contact winners and then to send winners their rewards via post or to send them cashback rewards – the possibilities are endless. When this entire campaign delivery takes place on the ends of agencies and brands, there are ways to become ‘GDPR-proof’.
GDPR Proof
In order to achieve GDPR compliance companies have undergone lots of steps.
- Getting explicit consent from individuals for opt-in and to allow personal data to be processed. Consent being the operative word here, requires a disclaimer, a privacy policy, an opt-in checkbox, etc. Here is an example of a GDPR compliant form for sales promotions and contests:
- Organizations have also become extremely open and specific about what will happen to the data.
- Individuals have the right to access information collected about them and a “right to the explanation”. Here, they can ask why an algorithmic decision was made about them. The organizations, therefore, have made specific mandates which lay down exact information collection regulations.
- Organizations need to delete data in a time period specified by the norms in order to be compliant; data kept over time might result in fines. When a similar compliance rule comes to India, brands, and agencies here will have to undoubtedly adhere to regulations too.
When a similar compliance rule comes to India, brands, and agencies here will have to undoubtedly adhere to regulations too.
Brace yourself – GDPR 2.0
India has been a laggard in data privacy rules, with Aadhaar remaining a bone of contention between the government and privacy advocates. In August 2016, the Centre appointed the Srikrishna committee to suggest a framework to protect institutional and private data. We’d like to call it GDPR 2.0 because it will serve the same purpose in India and even more!
This committee has been crafting a data protection regime that has the potential to empower users to control their own data but may present new challenges for Indian companies.
1. The Risk of a Fragmented Landscape
Last year after the Indian Supreme Court declared privacy a fundamental right, the Srikrishna committee developed a data protection law for the Ministry of Electronics & Information Technology (MeitY). However, after the Cambridge Analytica incident in March 2018, urgent data protection measures have been developed by several government bodies on their own. Because these efforts are separate from the MeitYs’, a fragmented landscape may emerge with unclear compliance costs.
2. The Risk Associated with India’s Vision of Digital Empowerment
While other regions (like EU) focus on making data safer, India seeks to empower individuals by maximizing their ability to easily and quickly access, manage, and move data. India’s vision includes “account aggregators” – entities that will coordinate the movement of data. The technology behind Aadhaar may form a key part of the account aggregator’s technology. However, this technology has been publicly associated with breaches. If account aggregators cannot ensure data safety, the consumers will suffer. Also, companies doing business in India may be wrongly blamed for breaches even if the breach isn’t their fault.
GDPR compliance should not be looked at as just an expensive exercise. Instead, it should be looked at as an advantage which can be a differentiator in the Indian market. Customers will trust a company compliant with the new privacy law more as compared to those who aren’t compliant. Therefore, the entry of GDPR 2.0 in India will obviously bring significant consumer benefits as well as brand benefits.
