GDPR for Content Design, Development, and Deployment

GDPR for Content Design, Development, and Deployment
featured image

This article originally appeared in EContent Magazine on August 13, 2018.


Earlier this year, the European Union’s (EU) General Data Protection Regulation (GDPR) went into effect, and it ripples far beyond the borders of Europe. Although the U.S. has traditionally had a much looser culture of privacy regulation than Europe, the protections afforded its European counterparts through the GDPR might be welcome to many American consumers right about now.


“GDPR is a benefit because it forces content creators and advertisers to behave in a manner that benefits the consumers,” says Calic. “You’ll work harder, but you’ll have more loyal, engaged customers as a result.”


The new regulation—designed to ensure digital privacy and data minimization for European consumers—rolled out during the same spring that Facebook CEO Mark Zuckerberg testified to Congress about his company’s mishandling of personal data. It’s also a year when clear evidence pointed to Russian bots leveraging ill-gotten personal information for nefarious purposes during the 2016 U.S. presidential election.


And although abiding by the GDPR certainly places digital-centric organizations under pressure to wrangle, document, and manage their data flow with transparency and precision,  it also makes the penalties for not doing so prohibitively expensive. And GDPR contains a valuable, and timely, kernel of opportunity. Rahel Anne Bailie, chief knowledge officer for Scroll, which provides content designers and content strategists for digital projects, characterizes it this way: “GDPR represents a chance to take the ocean of data and make it into a lake or make the lake into a pond.”


For content creators who leverage the regulatory requirements of the GDPR to refine their customer data-gathering processes and create—or rebuild—trust that such data will be used only to the customer’s benefit, the byproduct should be more satisfied, more trusting, and more engaged customers. And that’s a worthy goal on either side of the Atlantic.


Recap of the GDPR

First, a quick recap of what the GDPR does, as of its starting on May 25, 2018. It makes consent explicit, which means that a customer must opt-in to share any personal information (PI) data before a company can store it. It expands the definition of PI far beyond the traditional name, address, and birthday, encompassing a user’s location (including IP address), health, genetic data (including biometric data), and sexual orientation, race, ethnicity, religious beliefs, or political opinions.

The GDPR stipulates that, regarding such information, companies can only collect what they absolutely need in order to conduct their business. The guiding principle of data minimization says that companies can’t collect “just in case” data anymore in the hopes that they may be able to use it at a future date. Consumers have much more control over their own data, thanks to the GDPR. They now have the right to ask companies to show them exactly what data it has collected and stores about them. Consumers can also request that the company flush that data—with the “right to be forgotten.”


The GDPR casts a wide net; contrary to what many seem to believe, it’s not just aimed at organizations based in Europe. Any company—wherever it is headquartered—that collects, stores, and/or processes PI for European consumers is subject to the GDPR. Companies have been scrambling to catch up; a rather bleak 2015 survey from Ovum found that 63% of U.S. businesses expected the GDPR to make it harder for them to compete, while 70% felt that the GDPR would throw the competitive advantage to EU businesses.


Alex Calic, chief strategy and revenue officer for The Media Trust, which provides transparency and ad verification solutions in the online and mobile advertising ecosystem, says that if May 25 came and went without your organization getting its GDPR house in order, “then if the EU comes knocking, you need to at least show that you’re getting your arms around compliance and are on a path toward it.” Because the last important fact about the GDPR is that it has teeth. According to the regulation, companies that fall short of full compliance can be fined up to 4% of annual global turnover or €20 million (about $24 million)—whichever is higher.


Why Should Content Creators Care About the GDPR?

But isn’t the GDPR all about data security? It’s not up to content creators to know what back-end data is being stored by an organization, right? Wrong. That might have been true 10 years ago, but content supply and value chains are more integrated than ever in the digital age.

Tim Walters, principal strategist and privacy lead for The Content Advisory, which helps companies evolve their use of content-driven experiences to build audiences, says, “Only three of the 99 articles in the GDPR relate to data security, and you could argue that really only one—number 32—does.” (Insert your own “99 Problems and Data Security Is Only One” joke here.) Walters says that while security has garnered the vast majority of attention and funding around institutional GDPR efforts, “It’s really about putting people in control of their personal data.”


That would be the personal data that content creators rely on to develop personalized content to engage audiences, to target specific offers to specific users, or to make broad strategic decisions about editorial direction. So yes, the GDPR matters to content creators who hope to serve customers better in an environment in which customers will likely share fewer of the exact datapoints that could allow a content creator to design, develop, and deploy the right message at the right time.


Walters describes the paradox. “It’s a vicious circle,” he says. “Customers want relevance and personalized experiences and will punish brands that don’t provide them. And yet, we’re dramatically more anxious, worried, and informed about what’s happening to our data. We’re reluctant to share the personal data brands need to provide that hyper-personalized experience.” How to resolve the conflict that is present for consumers regardless of which part of the world they live in? By gaining back the consumers’ trust that your organization will treat their data carefully. Luckily, the EU has provided a 99-point plan for doing just that.


From Obligation to Opportunity


“GDPR is a really good opportunity to deep clean under the sofa and get rid of all the dust bunnies,” says Bailie. It’s a chance to take all the varied “data pockets,” as Bailie calls them—the customer view that marketing holds, the slightly different lens through which accounting views the same customer, and the one that the content team has cobbled together—to create a single, integrated, and accurate view, with only as much data as the customer feels comfortable sharing. “What if you had a ‘single source of truth’ about your customer?” asks Bailie. “You could serve the customer better and create better engagement.”


No one believes that will be easy, of course. Bailie says that for Scroll, as for most other GDPR-compliant organizations, the path to doing it right involves “tortured conversation.” She says, “We had to have long, earnest discussions—do we delete client data after a year? Store and encrypt it?” She emphasizes that the goal has to be doing it right—“not just ‘what’s the minimum we need to do to slide by.’ You have to take a longer view.”


But the outcome of those arduous discussions and resulting decisions can be higher-quality data and a single unified vision of each customer, shared within the organization. Done properly, perhaps the more important outcome of a thoughtful GPDR implementation is the customer’s belief that your company takes his or her privacy concerns seriously and is a worthwhile steward of that data. Or as Bailie puts it, “You can be the company that stops annoying customers!”


Building Trust, Step by Step


Increased trust should, over time, encourage customers to share more PI, as long as they see the demonstrated benefits of doing so. Walters says, “The key thing in building trust is delivering concrete benefits” when a user does share information. “Saying something like ‘improving your service’ is too vague. It has to be something tangible.” For instance, telling customers that by providing their gender and age, they’ll receive customized offers for discounts and promotions is an example of a clear exchange that satisfies GDPR opt-in requirements. (Of course, relevant customized offers better follow in short order.)


Asking for the kitchen sink of personal data up front isn’t the way to go; just like in a personal relationship, a stepwise approach to building trust is more likely to succeed. “A company could start with, ‘May I have your email to send you the weekly newsletter?’” says Walters. “If I respond to the newsletter, then ask for the next thing, like details about demographic information in order to share appropriate offers.” A response to one of those offers could trigger a request for the next piece of information that relates to a tangible benefit—perhaps sharing a geographic location might lead to an invitation to a nearby event or an in-store-only special.


Bailie agrees that the messaging around the GDPR is critical and that content creators will play a key role in making it transparent and palatable to consumers. “It’s a challenge to companies to think about what content actually means. It’s not just about the content we serve up to customers, but also includes the language in disclaimers, compliance statements, and even internal communications.”


Working within a GDPR-compliant system can build trust internally, as well, by mitigating risk for content teams. “As a content creator, you want to know that your workflow and governance are GDPR-compliant, because it protects you,” says Bailie. She cites the example of a government agency whose pre-GDPR CMS often led to drafts rather than final versions being published on a public-facing website, resulting in repeated retractions. Good GDPR design takes workflow and governance into account.


Audience Shrinking? Try Refinement.


Of course, the elephant in the room with the GDPR is this: Its implementation means that businesses will probably lose online customers. While some companies may make the dramatic choice to stop competing in European markets altogether rather than expend the resources to comply with the GDPR, it’s more likely the reduction will follow when opt-out data-sharing changes to opt-in, requiring a deliberate decision on the part of customers to stay engaged.


Does it matter? Bailie says no. “If you shrink your audience to those who actually read what you send out, I would call that refinement more than shrinkage.” If you think of the newsletters to which you subscribe but never read and how your only engagement with them is to delete them, unread, from your email inbox—it’s a fair point. But as the GDPR impacts roll out across the digital content landscape, metrics should change as well. If audience numbers drop, perhaps focus needs to shift to levels of audience engagement as a better measure of their value.


There’s an argument to be made that global companies should design systems that honor the GDPR requirements for the consumers that it covers, but continue their broader data collection and usage activities for the rest of the world. Think of it as a Balkanization of privacy. “Regulation benefits the bigs,” says Calic, noting that companies with sufficient resources can customize their approach to data collection by market. “Companies with more limited resources will probably go by the strictest rules.”


Walters refers to it as the “Californication of data governance,” alluding to the transitional period in American car manufacturing in which automakers created one car that would pass California’s stricter pollution standards, and a “49 state car” for the rest of the country. “Now they all just sell the California car everywhere,” he points out, “and that’s my advice. It’s costly and inefficient to maintain two separate systems. And putting people in control of their data is the right thing to do.”


The GDPR is just one regulation for global content creators to keep in mind. From the Hong Kong Personal Data Ordinance, to HIPAA, to FERPA, and beyond, the trend toward increased regulation to prevent misuse of personal data—and outspoken consumer demand for it in places where regulations lag—is a worldwide wave.


And in the end, the GDPR’s tenets of data privacy and data minimization are sound content design and delivery philosophies. “GDPR is a benefit because it forces content creators and advertisers to behave in a manner that benefits the consumers,” says Calic. “You’ll work harder, but you’ll have more loyal, engaged customers as a result.”