This year has been a watershed moment for data privacy. In March, the data of millions of Facebook users was harvested by the U.K.-based firm Cambridge Analytica, and was purportedly used to manipulate public opinion. While news of the Facebook/Cambridge Analytica situation went viral, it was just one of more than a dozen data breaches in 2018 alone, which have led to an increasing focus on users’ data privacy.
The pervasiveness of digital channels has created a vast ecosystem of user data. Our digital activity, browsing patterns, likes/dislikes/preferences and peer networks have been creatively leveraged using technology such as machine learning and artificial intelligence to create a profile that is more revealing than one could ever imagine. Google, Facebook, Instagram, LinkedIn and many others have gathered implicit consent to access users’ data when they agree to the platforms’ terms of service, but those user agreements don’t provide blanket approval for the platforms to harvest users’ personal data across digital and non-digital channels, tracking users’ actions and behaviors well beyond the platform itself. Yet the data ecosystem continues to grow. In May, we saw the enforcement of the EU’s much anticipated General Data Protection Regulation (GDPR), which aims to give the control of user data back to the user. The regulation requires companies to secure explicit permission prior to collecting data and to specify the intent of the data collection. For now, the GDPR is applicable within the EU and involves three key elements:
- Active individual consent is required before any personally identifiable information is collected.
- There must be clear agreement on what data is being collected and how the organization will be using the data.
- Users can, at any time, withdraw consent. They also can require organizations to forgo the relationship and ask for the removal of all collected data.
Reactive data protection regulation as a response to technology advancement is nothing new. Back in the ’90s, there was the EU Data Protection Directive that focused on the protection and free movement of personal data, but it was phased out and replaced with the GDPR. These regulations are a reaction to the increasingly pervasive technology that can be used with malicious intent.
So what do pharma marketers need to know? The GDPR provisions are applicable when it comes to targeted marketing for EU residents but not for generic, broad-based marketing content. When EU consumers search for prescription drug information and come across content developed for U.S. consumers on a pharma company’s U.S.-hosted website, the GDPR doesn’t apply. However, if the pharma company’s website pursues EU consumers with relevant drug content, has a domain suffix for an EU country, provides EU language translations, or markets in the EU languages, then GDPR compliance is required.
The problems presented by the unintended technological consequences will have to be addressed by technology-enabled processes that offer better data protection, segregated access search retrieval, data portability, suppressions and deletion and, lastly, transparency through traceability and lineage. Organizations will have to invest in intelligent data management platforms and specialized roles such as dedicated data controllers, general counselors and chief information security officers. They also will need to implement adequate protection controls for what data is collected, along with the purpose and usage.
Organizations are challenged by the fact that customer identifiable data lies scattered across multiple data systems with both internal and external partners (marketing agencies, digital media partners, etc.), which makes governance difficult. Organizations need to implement robust data stewardship and governance programs with the required data protection frameworks that govern first-, second- and third-party data handling and processing since they are highly vulnerable to data breaches. Such measures will help organizations to not only ensure compliance but also be better prepared to respond to consumers in the unlikely event of a data breach.
Overall, the GDPR presents an opportunity to transform data security, privacy and data management efforts, and can result in new data-led business models. It has the potential to act as a catalyst for organizations to enable a stronger digital strategy, improve data efficiency with better data management, and elevate customer relationships and experience. And as a bonus on the consumer side, we should eventually see a drop in those unsolicited emails, calls and ads that have been creating a large amount of digital clutter.