May 25, 2019 marks the one year anniversary of the implementation of GDPR: the European Union’s General Data Protection Regulation, a sweeping set of data privacy laws replacing a patchwork of regulations from individual European countries.

GDPR has been a hot topic for anyone involved with data who does business in Europe, and the entire industry has been watching its rollout with interest. So where do things stand one year down the road? Here are some trends we’ve been seeing in the press:

One quick win: breach notification. There is a clear consensus among industry observers that the volume of breach notifications was the single biggest immediate change following the implementation of GDPR.

In the aftermath of clear, EU-wide regulations for self-reporting data privacy breaches, such notifications have increased substantially over the past year, with nearly 60,000 breaches reported in the EU over the first eight months of GDPR. Speaking in a recent Slate article, the UK’s Steven Eckersley notes that in his country alone breach notifications are predicted to nearly double from 18-20,000 in 2018 to around 36,000 in 2019.

Compliance – and enforcement – have ramped up slowly. One of the biggest storylines of 2018 in the data industry was how companies struggled to meet this law’s compliance deadlines. 2019 finds these efforts still ramping up: at a recent meeting of the International Association of Privacy Professionals, it was estimated that 50% of covered firms are still in the process of GDPR compliance, a process that may continue for a couple of more years overall.

GDPR was also noted for its potential to levy stiff penalties on companies that did not protect consumer data, ranging up to 4% of annual turnover. However, enforcement efforts have proceeded cautiously to date. Of the roughly 56 million Euros in fines levied against firms for GDPR violations over its first nine months, nearly 90% of this sum was a single 50 million Euro fine against Google, with a majority of fines to date being small ones. However, some analysts expect enforcement efforts towards small- and medium-sized firms to increase in the future.

GDPR is part of a movement. Perhaps the biggest impact of GDPR over the past year lies outside the EU, where new data privacy laws influenced by GDPR are now being proposed in numerous countries worldwide. Here in the United States, new data privacy requirements are coming online in California in 2020, and US Senator Marco Rubio has recently proposed a federal data privacy standard similar to GDPR – and according to DestinationCRM, the latter may in fact be a welcome development for firms compared with the potential need for managing disparate state mandates.

Beyond compliance and enforcement issues, many analysts continue to feel that data privacy initiatives such as GDPR are also fundamentally changing the dialogue between businesses and their customers, creating relationships that are built more on trust and transparency. A year into the implementation of GDPR, it is still a very exciting time to be in the data quality business.

How we can help

If you do business in Europe – or have customers there – GDPR affects you too. In particular, you need to know what countries each of your customers or prospects are based in, to get started with your own compliance efforts.

Visit our GDPR solutions page for an informative solutions sheet and whitepaper report on GDPR compliance, together with details on capabilities such as our DOTS Address Detective – International product – a real-time service that employs fuzzy logic to correct or append country information for compliance purposes. Want to learn more? Contact our friendly technical team to discuss your specific GDPR compliance needs.

In most areas of life, negative motivation alone will not create good results. (If you don’t believe me, ask your employees, or your teenage children – or take a look at what research has to say.) When it comes to data privacy, recent studies show very similar outcomes.

Take the European Union’s strict new GDPR data privacy regulations, which went into effect in the spring of 2018. It featured some of the stiffest penalties to date, with potential fines up to the higher of €20 million or 4% of global annual turnover. But even in the face of this kind of financial risk, at least one survey, one month before the implementation deadline, showed that only 40% of companies expected to be ready for GDPR – and only 7% were actually ready.

Benefits of Investing in Data Privacy

Figures like these are all the more interesting in light of a recent benchmarking study from Cisco that shows that businesses actually gain substantial benefits from making investments in data privacy. The report quotes Peter Lefkowitz, the 2018 Board Chairman of the International Association of Privacy Professionals (IAPP), as saying, “This research provides evidence for something Privacy professionals have long understood – that organizations are benefitting from their privacy investments beyond compliance.”

So what are the benefits of a good data privacy policy? Here are the key ones found in Cisco’s 2019 survey of over 3200 data professionals in 18 countries:

Fewer data breaches. Among companies that were ready for GDPR, 74% experienced data breaches versus 89% for those companies that were least ready.

Less impact from data breaches. GDPR-ready companies who subsequently experienced data breaches had less than half the number of records affected versus the least-ready companies. They also experienced roughly a third-less downtime as a result of these breaches, and only 37% experienced losses in excess of US $500,000 versus 64% of the least-ready.

A shorter sales cycle. Because customers expect businesses to address their own privacy concerns nowadays, respondents experienced an average sales delay of 3-9 weeks, with 87% of businesses reporting delays in selling to existing customers or prospects.

Greater customer goodwill. According to Peter Lefkowitz, this study demonstrated that strong privacy compliance “increases customer trust.”

Despite these benefits, some companies are still struggling to catch up with GDPR compliance: 37% of affected companies were still not fully ready at the time of the survey, with 9% being more than a year away. But this survey also showed substantial evidence of other good habits of data governance. For example, over a third had a relatively complete catalog of their data assets, nearly a third had a formal chief data officer, and 40% felt they were “effective in connecting different data assets together to create more value for our customers and ourselves.” These habits, in turn, appear to translate to competitive advantage and tangible bottom-line benefits.

So when it comes to data privacy, it looks like psychologists had it right all along: carrots work much better than sticks. So start looking into the many benefits of better data privacy policies in your own organization, sell these goals to your stakeholders, and then use them as a base for your own organization’s efforts. And remember, when it comes to the automated data quality tools to help make these policies work, we’re always happy to discuss your options: contact us anytime.

If you do outbound marketing via telecommunications, the Telephone Consumer Protection Act (TCPA) has probably been part of your business agenda – particularly in recent years, as stiffer interpretations of these consumer privacy laws have led to multi-million-dollar judgments against major corporations and others. So what lies ahead for businesses in the next 12 months in terms of TCPA?

The short answer is twofold: in an era of increasing consumer privacy, TCPA isn’t going away any time soon – but as efforts to ease its impact on businesses are making their way through the courts, there is hope for less risk and more leeway in meeting the requirements of TCPA. We will continue to monitor these developments closely, as a key provider of tools for TCPA compliance, but here is a summary of what we are seeing so far.

Three key issues: equipment, consent, and third parties

In a recent video interview with text messaging vendor Tatango, TCPA attorney Ernesto Mendieta highlighted three key issues that are currently the subject of court cases:

• the definition of automated telephone dialing systems (ATDS)
• revocation of consent
• the definition of co-parties.

The ATDS issue is particularly important for many businesses. TCPA prohibits unsolicited calls made via automated dialing equipment; however, a much broader definition of ATDS introduced in 2015 included equipment that could store and dial numbers without human intervention, even if these capabilities were not used. This expanded definition was struck down by an appeals court in 2018, with new FCC guidelines expected in 2019. According to law firm Eversheds Sutherland LLP, businesses are hopeful that these new guidelines will provide a much clearer standard for these devices.

Another key issue for TCPA litigation revolved around whether consumers can revoke consent for contact via ATDS if they have previously agreed to such contact under the terms of a contract. Recent legal cases have tended to rule in favor of businesses, deciding that such contracts override a consumer’s right to revoke this permission, however, case law is not unanimous and further cases are expected to shed more light on this issue in 2019.

Finally, recent court decisions such as this one involving Taco Bell point to more clear boundaries about whether businesses are liable for TCPA violations on the part of third parties promoting their products or services. Here as well, case law is expected to evolve further in 2019.

In general, many of these legal efforts spring from a backlash from businesses affected by recent stiffer interpretations of TCPA, and its fallout in terms of penalties. For example, the National Association of Federally Insured Credit Unions (NAFCU) is publicly urging the FCC to reform TCPA to “separate bad actors who are harassing consumers with unwanted and potentially harmful robocalls from good actors like credit unions contacting their members with valuable information on their existing accounts.”

A new safe harbor for changed numbers

One other major change on tap for 2019 is a new way that businesses can protect themselves against inadvertent marketing calls or texts to numbers that have changed hands. In December 2018 the FCC issued an order calling for the creation of a national database of reassigned phone numbers, for the purpose of reducing unwanted contacts to consumers with these numbers. To encourage its use by businesses, this ruling also includes a TCPA safe-harbor provision for calls to reassigned numbers when the most recent version of this database is checked first.

It is important to note that this new database will not remove the need for good contact data hygiene, particularly the verification of contact phone numbers. Contacting a bad or mistyped number can still open businesses to liability. Given the high percentage of numbers that do change each year, it is still important for the sake of data integrity to verify contact numbers both at intake and before a campaign, using tools such as Service Objects’ DOTS GeoPhone Plus 2 service. However, this new database can help mitigate what has often been a common source of liability.

Summing it all up

The essential purpose of TCPA remains unchanged: businesses still can’t spam consumers via automated telecommunications, particularly wireless devices, without their explicit permission. But there is hope for well-intentioned businesses in 2019, with prospects ranging from clearer legal requirements to better tools and safe harbor provisions for inadvertent marketing contact.

Here at Service Objects, we will continue to keep abreast of how TCPA and its enforcement continues to evolve in 2019. In the meantime, we are always happy to consult with your business to help you find cost-effective solutions for TCPA compliance – contact us anytime.

If you do business with customers in Canada, an important new privacy law has taken effect as of November 2018: The Personal Information Protection and Electronic Documents Act (PIPEDA). People are already starting to refer to PIPEDA as Canada’s version of GDPR, the sweeping privacy regulations implemented in May 2018 by the European Union.

There are some common denominators between PIPEDA and GDPR. Both mandate acquiring explicit customer permission for the use of personal information, as well as disclosure of how this information will be used. Both also require breach notification in cases where personal information has been compromised: in Canada’s case, notification must be made to that country’s Privacy Commissioner a well as to affected parties. Other common threads include requirements to maintain accurate and secure data, giving individuals access to their own data, and the need for a formal compliance officer.

Getting started with PIPEDA

The Canadian government has published a downloadable guide to help organizations understand and become compliant with the new PIPEDA law, entitled Privacy Toolkit: A Guide for Businesses And Organizations. It provides an overview of the law and its principles, together with descriptions of its complaint handling procedures and audit provisions.

PIPEDA compliance revolves around ten principles that businesses must follow:

1. Accountability. Comply with these principles, appoint an individual responsible for compliance, protect information handled by you and third parties, and develop policies and practices for personal information.

2. Identifying purposes. Document and inform individuals why information is being collected, before or at the time it is collected.

3. Valid, informed consent. Specify what information is being collected, used or disclosed along with its purpose, and obtain explicit consent – before collection, and again if a new use of their personal information is identified.

4. Limiting collection. Do not collect personal information indiscriminately, or deceive or mislead individuals about the reasons for collecting personal information.

5. Limiting use, disclosure, and retention. Use or disclose personal information only for the purpose for which it was collected or consented to, keep personal information only as long as necessary, and have policies for the retention and destruction of information that is no longer required.

6. Accuracy. Minimize the possibility of using incorrect information when making a decision about a person or when disclosing information to third parties.

7. Safeguards. Protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.

8. Openness. Inform customers, clients and employees that you have policies and practices for the management of personal information, and make them understandable and easily available.

9. Individual access. Provide individuals with access to their personal information on file with you, along with how and to whom it has been disclosed, as well as the ability to correct or amend this information.

10. Challenging compliance. Develop simple and easily accessible complaint procedures, inform complainants of their avenues of recourse, investigate all complaints received, and take appropriate measures to correct information handling practices and policies.

Some important distinctions

While the goals of PIPEDA are very similar to those of other privacy regulations such as GDPR – and many of the same compliance strategies will apply to both markets – there are some key differences with Canada’s new regulations. Here are two of the more important ones:

A focus on mediation. Compared with other global privacy regulations, which often carry stiff financial penalties, PIPEDA is designed to enforce privacy laws through mediation where possible. However, this does not mean that the law is without teeth: both complainants and Canada’s Privacy Commissioner can apply for a Federal Court hearing and potential damage awards. In addition, specific violations such as intentional destruction of requested personal information or whistleblower retaliation may be prosecuted as offenses.

Limits on scope for employee data. Unlike GDPR, the PIPEDA law’s application to employee data only applies to federally regulated entities such as banks, airlines and shipping companies (although some provinces have stricter provincial privacy laws). For consumer data, however, PIPEDA applies to personal data from all Canadians.

Knowing the location of customers is key to PIPEDA compliance

Contact data quality is no longer an option when dealing with the Canadian market. Service Objects has been at the forefront of helping firms with their compliance efforts for data privacy regulations, including flagging the geographic location of customers and prospects, which is key to getting started with any compliance effort.

Contact us for more information about how our data quality solutions can help your business.

Labor Day is much more than the traditional end of summer in America: it pays tribute to the efforts of working people. It dates back well over a century, with one labor leader in the 1800s describing it as a day to honor those “who from rude nature have delved and carved all the grandeur we behold.” And we aren’t forgetting our friends in Europe and elsewhere, who celebrate workers as well with holidays such as May Day.

As we celebrate work and the labor movement – and enjoy a long holiday weekend – we wanted to take a look at some of the ways that we help you save labor, as you try to carve grandeur from your organization’s data. Here are some of the more important ones:

Validation and more. Let’s start with the big one. For nearly two decades, the main purpose of our existence has been to take the human effort out of cleaning, validating, appending, and rating the quality of your contact and lead data. Whether your needs involve marketing, customer service, compliance or fraud prevention, these tools save labor in two ways: first, by saving you and your organization from re-inventing the wheel or doing manual verification, and second, by saving you from the substantial human costs of bad data.

Ease of integration. What is the single worst data quality solution? The one that gets implemented badly, or not at all. One of the biggest things our customers praise us for is how easy it is to implement our tools, to work almost invisibly in their environment. We offer everything from API integration and web hooks with common platforms, all the way to programming-free batch interfaces for smaller or simpler environments – backed by clear documentation, free trial licenses and expert support.

Speed and reliability. As one customer put it, “milliseconds matter” – particularly in real-time applications where, for example, you are validating customer contact data as they are in the process of entering it. Our APIs are built for speed and reliability, with a longstanding 99.999% uptime and multiple failover servers, as well as sub-second response times for many services – so you don’t waste time tearing your hair out or troubleshooting responsiveness issues.

Better analytics. Your contact data is a business asset – put it to work as a tool to gain business insight for faster, more informed decision-making and market targeting. You can target leads by demographics or geocoding, enhance your leads with missing phone or contact information, or leverage your customer base for better decision support, among many other applications.

Customer support. We recently interviewed a major longtime customer about using our products, and when we asked them about support they gave us the highest compliment of all: “We never need to call you!” But those who do call know that our best-in-class support, staffed by caring, knowledgeable experts who are available 24/7/365, represents a large savings of time and effort for our clients.

We hope you enjoy this Labor Day holiday. And when you get back, contact one of our product experts for a friendly, pressure-free discussion about how we can create less labor for you and your organization!

 

The golden rule of marketing has always been, “know your customer.” In today’s regulatory environment, however, it might be more accurate to say, “know your customer – or else!” Nowadays customer data – particularly in areas such as geocoding and demographic data – are often central to maintaining compliance with a wide range of regulations, in the financial world and elsewhere.

In response to this, Service Objects has just released a powerful new capability to help automate the gathering and analysis of geolocated consumer data: Address Insight – US. It provides address standardization, address geocoding and demographic information together in one real-time service, and is designed to serve a wide range of applications ranging from compliance to targeted marketing.

Examples of financial compliance issues

Let’s look at some of the areas where address insight can benefit your compliance efforts:

• The Community Reinvestment Act (CRA) requires federally insured lending institutions to provide lending opportunities to low-to-moderate income communities – and in particular, prove that they are not “redlining” specific neighborhoods and denying them credit. One of the key performance criteria for evaluating CRA compliance is your geographic distribution of loans.
• The Home Mortgage Disclosure Act (HMDA), enacted by Congress in 1975, requires lenders to publicly disclose data regarding their mortgage lending activities. While this is a disclosure law with no implied quotas, HMDA also serves to ensure that lenders do not contribute to the decline of specific geographic areas by failing to provide adequate mortgage financing.
• For consumer lending in general, the Federal Financial Institutions Examination Council (FFIEC) has a set of Fair Lending Examination Procedures used to audit lenders for evidence of lending discrimination. These reviews include an analysis of geographic patterns in lending to seek evidence of “redlining” or neighborhood-based discrimination.
• Conversely, certain real estate transactions may be subject to Geographic Targeting Orders (GTO), which are enhanced identification and record-keeping requirements imposed by the Federal Financial Crimes Enforcement Network for expensive real estate transactions in areas that are prone to money laundering activities. For example, as of 2017 transactions of $3 million or more in Manhattan or $1 million or more in parts of Florida were subject to GTOs, along with numerous other metropolitan areas.

A solution for compliance and beyond

Of course, there are numerous applications beyond compliance for geocoded address insight. For example, academic researchers can use address insight to study specific neighborhoods – for example, the University of Chicago divides the city of Chicago into 75 defined communities that correlate with tract information, and can be used as study variables. And of course, the combination of location insight and demographic data can be a very powerful tool for market targeting.

For compliance applications, Service Objects’ Address Insight – US provides data such as MSA code, state code, county code (FIPS), and tract number for addresses for FFIEC compliance. It also includes all the benefits of Service Objects’ flagship address validation and standardization capabilities, as well as appended demographic information such as household values and incomes by ZIP code.

As with all Service Objects services, Address Insight – US is available through APIs that can be interfaced directly to most contact data automation platforms, as well as convenient batch list processing for smaller applications or specific datasets. Contact us for a free 500-transaction trial key, and see what this new tool can do for you!

What is location intelligence, or LI for short? According to geomarketing firm Carto, it is the process of transforming location data into business outcomes. Today LI has become a very hot field, with projected revenues of over US $16 billion by 2021.

You probably use location intelligence in your business already, perhaps without even knowing it. If you sell to specific geographic markets, have seasonal variations in your sales patterns, or market to a targeted demographic, location data is probably part of your marketing mix. This is how we avoid pitching winter coats to people in Hawaii, or selling farming tools on Wall Street. But its applications now go far beyond marketing, into nearly every aspect of modern commerce.

How Location Intelligence works

Today’s LI works by marrying the benefits of geocoding and big data. It turns address data into exact latitude and longitude coordinates that frame information such as its census tract and usage, which in turn can be linked with associated data such as demographics, zoning, or spending patterns.

In much the same way that CRM provides you with a wealth of customer-based insight, LI can add the power of this accumulated location-based data to your business decisions. Here are some examples:

Compliance: Geospatial data can form an integral part of documenting compliance with regulations targeted at specific demographics or geographic areas. For example, the banking industry’s Community Reinvestment Act (CRA) and Equal Credit Opportunity Act (ECOA) requires lenders to support the needs of lower and middle-income borrowers as well as avoid discriminatory lending practices. And in another example, one of New York State’s largest cable providers was recently ordered to leave the state over charges of breaking commitments to roll out broadband services to rural areas.

Fraud prevention: Your bank receives a loan application from a new customer with a swanky business park address – which actually turns out to be an abandoned industrial area. Or the loan proceeds are being spent in areas of high drug trafficking or known financial crime. According to fintech expert Kenneth Goodwin, these are just two examples of how location intelligence can prevent or investigate financial fraud.

Targeted marketing: Once upon a time, companies decided where to place a billboard based on counting how many cars drove by. Today, according to ESRI’s Marianna Kantor, the out-of-home (OOH) advertising market – encompassing everything from news kiosks to municipal buses – can tap into a rich array of anonymized financial and demographic data, fed by everything from GPS data to smartphone use. At a broader level, location intelligence promises to vastly improve the granularity with which marketers can target their efforts using any channel.

Location-based offers: Suppose you walk into a ballpark, and a text message pops up on your phone offering discounts on a seat upgrade or in-game video highlights. This isn’t science fiction: it’s happening today with real-time applications such as Major League Baseball’s Ballpark smartphone app, which links ticket purchases and geospatial data to customize the live baseball experience. In the future, the potential to customize location-based customer experiences is nearly unlimited.

Putting Location Intelligence at your fingertips

Want to quickly add the power of location intelligence to your contact data processing? Service Objects offers capabilities such as Address Geocoding, which turns US or Canadian addresses into geolocation coordinates and associated data including census tract, county and block codes, and proximity to water, as well as our GeoPhone and GeoPhone Plus services that work from your telephone contact data. Use them as standalone services, or link them with other address-based data tools such as block-level demographics for a broader picture.

Any of these tools can be integrated directly into your marketing or CRM platform via a real-time API, or via a convenient batch interface for smaller applications. And you can try them out for free right now on our website, with no registration required.