GDPR Is Not Enough. A More Active Role Needs to Be Taken Regarding Privacy

Passivity is equal to negligence with consumer data

Companies need to take privacy further than what GDPR will do.
Getty Images

GDPR is almost here, ushering in a new era of compliance around how personal data is collected, shared and used by brands and marketers. But GDPR is not enough. Brands must do more to ensure consumers feel their

data is protected, because without consumer trust, the promise of personalization and digital marketing falls apart.

For too long, the tech companies that work with brands have had a “don’t ask, don’t tell” policy when it comes to the data being collected by brands and shared with them for the purposes of analytics, attribution, A/B testing, optimization, campaign targeting and more. This hands-off approach to protecting user privacy needs to change. Tech companies must have tough conversations and weigh the costs to support data privacy with the economic losses the entire industry (brands included) incurs when we turn a blind eye.

Tech companies need to take a long, hard look in the mirror and reassess their systems, principles, processes and people. It’s time for companies—especially those that interact with consumer data but do not have direct relationships with consumers—to shape up (or ship out in some cases.)

The onus of the work to shore up consumer trust is on us, the marketing technology industry, and not just brands and advertisers.

These firms have typically approached user data privacy by adhering to industry standard controls and policies. Truthfully, they’ve left the application of privacy protections up to their customers and passed the hot potato, so to speak. In a time where we were handling no sensitive or PII data, doing the minimum to protect the data may have been sufficient. But as the world shifts to much broader definitions of personal data, which not only includes names, emails and location but also other more sensitive forms of personally identifiable or protected health data, doing the bare minimum today is, in my opinion, negligent.

This passive and unassertive mindset must change. GDPR is a good start but it’s not enough. Mar tech companies today face a choice: to either defer all privacy management to their customers and blindly trust they are doing it right or take a more active role as a partner with our customers to ensure privacy rights are respected.

My choice is the latter, but it’s the riskier one. I believe that any company that touches user data now must play an active—in fact, a proactive role—to safeguard both their customers’ data and their end-users’ privacy rights.

How should companies approach this? It’s a question not only of self-regulation but also a change of mindset and processes. Rather than taking a backseat, let’s become “privacy consiglieres” for brands and marketers. It’s a moniker that may sound fancy but implies a trusted advisor status in which mar tech firms provide guidance to brands and marketers, conducting privacy audits and cross-checks and flagging and remediating potential issues before they can become incidents.

I believe the onus of the work to shore up consumer trust is on us, the marketing technology industry, and not just brands and advertisers. We need to wrestle with these complexities, solve the problem collaboratively or else jeopardize the promise of digital marketing and personalized experiences.

My message to brands and marketers is this: When selecting the tech firms you plan to work with, ask them to prove how committed they are to your customers’ privacy. Will they leave the heavy lifting to you? Bottom line: If they are not part of the solution then they are, in fact, the problem.

Pope John Paul II said that freedom consists not in doing what we like, but in having the right to do what we ought. Sometimes we need to look at the past to recast our future. Progress has risk, but I believe this is the right path.