Posts Tagged ‘Data Protection’

Photo of a judge's gavel in front of a Canadian

Canada’s New PIPEDA Law: What It Means for You

If you do business with customers in Canada, an important new privacy law has taken effect as of November 2018: The Personal Information Protection and Electronic Documents Act (PIPEDA). People are already starting to refer to PIPEDA as Canada’s version of GDPR, the sweeping privacy regulations implemented in May 2018 by the European Union.

There are some common denominators between PIPEDA and GDPR. Both mandate acquiring explicit customer permission for the use of personal information, as well as disclosure of how this information will be used. Both also require breach notification in cases where personal information has been compromised: in Canada’s case, notification must be made to that country’s Privacy Commissioner a well as to affected parties. Other common threads include requirements to maintain accurate and secure data, giving individuals access to their own data, and the need for a formal compliance officer.

Getting started with PIPEDA

The Canadian government has published a downloadable guide to help organizations understand and become compliant with the new PIPEDA law, entitled Privacy Toolkit: A Guide for Businesses And Organizations. It provides an overview of the law and its principles, together with descriptions of its complaint handling procedures and audit provisions.

PIPEDA compliance revolves around ten principles that businesses must follow:

1. Accountability. Comply with these principles, appoint an individual responsible for compliance, protect information handled by you and third parties, and develop policies and practices for personal information.

2. Identifying purposes. Document and inform individuals why information is being collected, before or at the time it is collected.

3. Valid, informed consent. Specify what information is being collected, used or disclosed along with its purpose, and obtain explicit consent – before collection, and again if a new use of their personal information is identified.

4. Limiting collection. Do not collect personal information indiscriminately, or deceive or mislead individuals about the reasons for collecting personal information.

5. Limiting use, disclosure, and retention. Use or disclose personal information only for the purpose for which it was collected or consented to, keep personal information only as long as necessary, and have policies for the retention and destruction of information that is no longer required.

6. Accuracy. Minimize the possibility of using incorrect information when making a decision about a person or when disclosing information to third parties.

7. Safeguards. Protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.

8. Openness. Inform customers, clients and employees that you have policies and practices for the management of personal information, and make them understandable and easily available.

9. Individual access. Provide individuals with access to their personal information on file with you, along with how and to whom it has been disclosed, as well as the ability to correct or amend this information.

10. Challenging compliance. Develop simple and easily accessible complaint procedures, inform complainants of their avenues of recourse, investigate all complaints received, and take appropriate measures to correct information handling practices and policies.

Some important distinctions

While the goals of PIPEDA are very similar to those of other privacy regulations such as GDPR – and many of the same compliance strategies will apply to both markets – there are some key differences with Canada’s new regulations. Here are two of the more important ones:

A focus on mediation. Compared with other global privacy regulations, which often carry stiff financial penalties, PIPEDA is designed to enforce privacy laws through mediation where possible. However, this does not mean that the law is without teeth: both complainants and Canada’s Privacy Commissioner can apply for a Federal Court hearing and potential damage awards. In addition, specific violations such as intentional destruction of requested personal information or whistleblower retaliation may be prosecuted as offenses.

Limits on scope for employee data. Unlike GDPR, the PIPEDA law’s application to employee data only applies to federally regulated entities such as banks, airlines and shipping companies (although some provinces have stricter provincial privacy laws). For consumer data, however, PIPEDA applies to personal data from all Canadians.

Knowing the location of customers is key to PIPEDA compliance

Contact data quality is no longer an option when dealing with the Canadian market. Service Objects has been at the forefront of helping firms with their compliance efforts for data privacy regulations, including flagging the geographic location of customers and prospects, which is key to getting started with any compliance effort.

Contact us for more information about how our data quality solutions can help your business.

Marketing Strategies for the New Digital Privacy Era

In a world of big data, information for sale, and people oversharing on social media, this past decade has lulled many marketers into believing in a post-privacy era of virtually unfettered access to consumer and prospect data.

Even consumers themselves share this perception: according to an Accenture survey, 80% of consumers between the ages of 20 and 40 feel that total digital privacy is a thing of the past. But today this Wild West scenario is becoming increasingly regulated, with growing constraints on the acquisition and use of people’s personal data. Directives such as the European Union’s GDPR and ePrivacy regulations, along with other initiatives around the globe, are ushering in a new landscape of privacy protections.

Much has been written about how to comply with these new regulations and avoid penalties, on this blog and elsewhere. But this new environment is also a marketing opportunity for savvy organizations. Here, we examine some specific ways you can position yourself to grow in a changing world of privacy.

Leverage Data Quality With These Five Key Marketing Strategies

Be transparent. In their 2018 State of the Connected Customer survey, Salesforce.com found that 86% of customers would be more likely to trust companies with their information if they explain how it will provide them with a better experience.

Offer value. The Accenture survey mentioned above notes that over 60% of customers feel that getting relevant offers is more important than keeping their online activity private, with nearly half saying that they would not mind companies tracking their buying behavior if this led to more relevant offers.

Give customers what they want. According to European CRM firm SuperOffice, the post-GDPR world represents an opportunity to create segmented customer lists, through techniques such as separate website pop-ups for different areas of interest and content marketing via social media.

Look at the entire customer life cycle. Many firms offer a one-time free incentive, such as a report or webinar, in exchange for contact data and marketing permission. However, this can lead to fraudulent information being offered to get the goodie (we can help with that), or even a real but never-checked “wastebasket” email address. Instead, consider offering a regular stream of high-value information that keeps customers connected with your brand.

Change your perspective. This is perhaps the most important strategy of all: start looking at your customers as partners instead of prospects. Recent regulations are, at their root, a response to interruptive marketing strategies that revolve around bugging the many to sell to the few. Instead, focus on cultivating high-value client relationships with people who want products and services you offer.

More Consumer Privacy Can be a Good Thing

Whether businesses are ready or not, they are increasingly facing a world of marketing to smaller prospect lists of people who choose to hear from them for specific purposes, starting with Europe and spreading elsewhere. But this can be a good thing, and indeed a market opportunity. By changing your selling focus from a numbers game to one of deeper and mutually beneficial customer relationships, you can potentially gain more loyal customers and lower marketing expenses. In the process, this new era of consumer privacy could possibly end up being one of the best things that happen to your business.

Protecting your customers’ privacy and creating a mutually beneficial relationship starts with having the most genuine, accurate and up-to-date data for your contacts.  Download our white paper, Marketing with Bad Contact Data, to learn more about how quickly customer data ages and the impact on your business.

The Growing and Changing Role of the Chief Data Officer

Once upon a time data was just … data. Today it has become a strategic asset for most organizations, underpinning areas such as market analysis, strategic planning, product targeting and segmentation, and much more. The Economist goes so far as to declare data the world’s most valuable resource, much like oil was a century ago. As a result, organizations are increasingly making its oversight part of their executive suites.

Among C-level executives, the Chief Data Officer (CDO) is still the new kid on the block. As recently as 2012 NewVantage Partners found that only 12% of Fortune 1000 firms surveyed had a formal CDO role, while today this figure has risen to over 63%. And by 2019 this figure is expected to rise to 90%, according to this article from Visual Capitalist.

The Chief Data Officer of 2018: Rapid growth and role confusion

Figures from Visual Capitalist paint a striking picture of how quickly the CDO role has grown in larger organizations:

  • The vast majority (83%) have a tenure of less than three years.
  • Their budgets have increased by 23% in 2017 alone.
  • Their numbers in large organizations have increased from 15 in 2010 to over 4000 in 2017.

On the other hand, like any new function where management roles are scrambling to catch up with technology, the exact functions of a CDO are still evolving. Here are some enlightening statistics from the latest NewVantage survey:

  • Change agent or company man? Respondents are split on this, with roughly one-third believing that the CDO should be a change agent from the outside, and another third feeling that he or she should be a company veteran and insider who understands the culture.
  • Only 39.4% of companies view the CDO as having primary responsibility for data strategy and results. The rest point to other executive functions for this, with 23.9% even acknowledging no single point of accountability.
  • Respondents are evenly split 50/50 on the question of whether a CDO should sit on a company’s executive committee, with 22.6% believing this person must be a data scientist or technologist, and half as many (11.3%) feeling this person must have business line experience in generating revenue.
  • There is still a very clear split on how people see a CDO’s responsibilities, between either developing a company’s data and analytics strategy (44.4%), coordinating data initiatives (26.7%), or leading them (20%). However, over 90% believe that the CDO should play a leadership role in these initiatives.

Looking to the longer term, while 12.9% of people feel that the CDO’s role should be temporary or even unnecessary, trends seem to indicate otherwise – particularly in Europe, where the recently-implemented General Data Protection Regulation (GDPR) mandates the creation of a formal Data Protection Officer for all public sector firms, as well as private ones with significant responsibility for handling large-scale private or sensitive consumer data. And this mandate is backed up with potential fines as high as €10 million euros or 2 per cent of annual turnover.

The future of the CDO: From data quality to revenue?

Perhaps the most interesting trend to watch from here might be whether CDOs become entrusted with more revenue responsibility. Currently only 2.2% see this as their primary responsibility, according to NewVantage CEO Randy Bean in Forbes. But analogous to how customer support has evolved from being the “complaint department” to becoming the strategic voice of the customer, particularly in the CRM era, we share a growing view that the strategic and revenue roles of managing data will continue to increase. Today’s CDO may focus on policies, procedures and data quality, while tomorrow’s may also be tasked with mining more profitability from these assets.

In the meantime, data has clearly found its way into the executive suite. Every indication so far is that it is here to stay. And for us at Service Objects, it has been a very exciting time indeed to be in the data quality business.

 

The EU-U.S. Privacy Shield Framework: What It Means for You

In previous blogs, we have talked about what you can do to comply with modern data privacy standards, such as the European Union’s GDPR regulations. Today, we’re going to share what we have done lately about meeting privacy standards – and how this will benefit you.

We are proud to announce that Service Objects has been jointly certified by the European Union and the U.S. Department of Commerce under the new EU-U.S. Privacy Shield Framework. We have aligned our own privacy policies to meet the requirements of this Framework, and recently achieved self-certification in the summer of 2018. In the process, we are now meeting the highest standards for the collection, use and retention of personal information for ALL of our clients worldwide.

Understanding the Privacy Shield Framework

So what is the Privacy Shield Framework? In a nutshell, it requires businesses to comply with EU data protection requirements when transferring personal data from the EU to the United States during transatlantic commerce. Here are some of its key principles:

Notice. This includes disclosure about what kinds of personal information are collected about individuals, the purposes for which it is collected and used, the identities of parties to whom information is being disclosed and why, the rights of the individual to access personal data you may hold on file, and access to an approved independent dispute resolution body for privacy complaints.

Choice. Individuals must be offered the choice to opt-out of data being disclosed to third parties or subsequently used for other than its original intended purpose. In the case of sensitive personal information, ranging from medical information to religious or political beliefs, affirmative express consent must be obtained prior to such use or disclosure.

Accountability for onward transfer. Data can only be transferred to third parties for limited and specified purposes, and only after ensuring that these third parties will provide the same level of privacy protection.

Security. Organizations must take reasonable and appropriate measures to protect data from issues such as loss, misuse, or unauthorized access or disclosure.

Data integrity. Steps must be taken to ensure that personal data is accurate, complete, current and reliable for its intended use.

Access. Individuals must have the ability to access their personal data and correct, amend or delete it where appropriate, except in cases where the costs or impact on the rights of others are prohibitive.

Recourse. A key principle of the Framework is access to approved third-party recourse mechanisms for complaints regarding data privacy issues, including binding arbitration on request.

So, what is the benefit of our participation in the Framework? These guidelines provide a level of security and safety for the data we collect about you, as well as data we process on your behalf. This is particularly important if you work with clients in the European Union, but also represents an important set of safeguards for the data of all of your clients. You can view our revised data privacy practices right here.

Data privacy has evolved quickly from being a lofty goal to having specific, measurable best practices in recent years. The EU-U.S. Privacy Shield Framework represents another step toward creating global standards and certifications in this area, and we are proud to be a part of it.

data privacy laws

A New Data Privacy Challenge for Europe – and Beyond

New privacy regulations in Europe have recently become a very hot topic again within the business community. And no, we aren’t talking about the recent GDPR law.

A new privacy initiative, known as the ePrivacy Regulation, deals with electronic communications. Technically a revision to the EU’s existing ePrivacy Directive or “cookie law,” and pending review by the European Union’s member states, it could go into effect as early as this year. And according the New York Times, it is facing strong opposition from many technology giants including Google, Facebook, Microsoft and others.

Data privacy meets the app generation

Among other things, the new ePrivacy Regulation requires explicit permission from consumers for applications to use tracking codes or collect data about their private communications, particularly through messaging services such as Skype, iMessage, games and dating apps.  Companies will have to disclose up front how they plan to use this personal data, and perhaps more importantly, must offer the same access to services whether permission is granted or not.

Ironically this new law will also remove the previous directive’s need for the incessant “cookie notices” consumers now receive, by using browser tracking settings, while tightening the use of private data. This will be a mixed blessing for online services, because a simple default browser setting can now lock out the use of tracking cookies that many consumers routinely approved under the old pop-up notices. As part of its opposition to these new rules, trade groups are painting a picture of slashed revenues, fewer free services and curbs on innovation for trends such as the Internet of Things (IoT).

A longstanding saying about online services is that “when something is free, you are the product,” and this new initiative is one of the more visible efforts for consumers to push back and take control of the use of their information. And Europe isn’t alone in this kind of initiative – for example, the new California Consumer Privacy Act, slated for the late 2018 ballot, will also require companies to provide clear opt-out instructions for consumers who do not wish their data to be shared or sold.

The future: more than just European privacy laws

So what does this mean for you and your business? No one can precisely foretell the future of these regulations and others, but the trend over time is clear: consumer privacy legislation will continue to get tighter and tighter. And the days of unfettered access to the personal data of your customers and prospects are increasingly coming to an end. This means that data quality standards will continue to loom larger than ever for businesses, ranging from stricter process controls to maintaining accurate consumer contact information.

We frankly have always seen this trend as an opportunity. As with GDPR, regulations such as these have sprung from past excesses the lie at the intersection of interruptive marketing, big data and the loss of consumer privacy. Consumers are tired of endless spam and corporations knowing their every move, and legislators are responding. But more important, we believe these moves will ultimately lead businesses to offer more value and authenticity to their customers in return for a marketing relationship.

Around the World with Data Privacy Laws

If you work with data, you have certainly heard by now about GDPR: the new European Union laws surrounding consumer data privacy that went into effect May 25, 2018. But how about PIPEDA, NDB, APPI, CCPA, and SHIELD?

These acronyms represent data privacy regulations in other countries (in these cases for Canada, Australia, Japan, California and New York respectively). Many are new or recently expanded, and all are examples of how your legal responsibilities to customers don’t stop with GDPR. More importantly, they represent an opportunity for you and your business to use data quality and 21st century marketing practices to differentiate yourself from your competition.

Data Protection and Privacy Laws Are Becoming Increasingly Popular

Let’s discuss some of these new regulations. According to authentication vendor Auth0, there are a wide range of reasons for their recent proliferation. First, the rollout of GDPR has implications for other countries, including whether their personal data can flow into the EU – meaning that their data quality and protection regulations must align sufficiently with EU rules to be “whitelisted” by them. New laws now being adopted by other countries address issues such as breach notification, the use of genetic and biometric data, and the rights of individuals to stop their data from being sold.

Moreover, data privacy and security doesn’t stop with Europe and GDPR. Other countries are now starting to explore the rights of consumers in this new era of online information gathering and big data. For example, Japan and other countries now have additional regulations surrounding the use of personal information codes to identify data records, and there is increasing scrutiny on personal data that is gathered through means such as social media.

Contact Data Plays a Key Role in Compliance

Now, let’s talk about your contact data. It often isn’t ready for global data regulations, through actions such as not gathering country information at the point of data entry, or having onerous location data entry requirements (like putting “United States” at the end of a long pull-down menu of countries) that encourage false responses. Worse, existing contact data often has serious information gaps or incorrect information, and it goes bad very quickly: for example, nearly 20% of phone numbers and 35% of email addresses change every year.

Finally, let’s talk about you. In the face of a growing list of data privacy and security regulations, your job isn’t just to become GDPR-compliant. It is to build and maintain a best-practices approach to data quality, which in turn keeps you up to date with both today’s consumer data laws and tomorrow’s.

Data Quality Best Practices Are a Competitive Differentiator

Taking a step back from this flood of new regulations, we would also suggest that an ideal goal isn’t just compliance – it is to leverage today’s data quality environment as a competitive opportunity. Why do these new laws exist? Because of consumer demand. People are tired of interruptive broad-brush marketing, invasive spam, and unwanted telemarketing. When you build your own marketing strategy around better targeting, curated customer relationships, and respect for the consumer, your focus can shift from avoiding penalties to growing your brand and market share faster.

We can help with both of these objectives. For starters, we now offer our Country Detective service, which can process up to 500 contact records and append correct countries to them to help guide your compliance efforts. And for the longer term we offer a free Global Data Assessment, where our team will consult with you at no charge about strategies for data quality in today’s new regulatory and market environment. Interested? Contact us to get the ball rolling, and take the next step in your global market growth.