The new era of privacy & data protection has changed the rules of engagement for businesses who use personal information as part of their marketing outreach program. Thanks mainly to the General Data Protection Regulations (GDPR) in the EU and UK, we have shifted from a “we own their data” mentality to a “they own their data and if we wish to use it to further our business we must be far more respectful”. Yet there remains a few significant “blind spots” in the way businesses collect and use personal data.
The one we will unpack today is the concept of PURPOSE LIMITATION. It seems to continue to evade the changes in policies and procedures required under the GDPR and all other similar data protection & privacy laws. Article 5 of the GDPR states:
“Personal data shall be: a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);”
So let’s take a closer look. The words, “shall be” does not sounds like a mild request to me. This is the law and violating it has severe penalties, risk to the brand aside. see our recent blog post on the GDPR Enforcement Update)
Next is “Lawful, fairness and transparency” which means when data is collected for a stated purpose, it is only to be used for that stated purpose.
I recently gave my cell phone number to Facebook so I could “easily recover account access should I lose my password”. Shortly after that I started receiving text notifications about what my friends are posting on Facebook. Clearly “lawful, fairness and transparency” is not alive and well at Facebook. And “purpose limitations” at Facebook appears to mean “whatever they want to do with your data so they can make more money”.
Well, it may take time, but these laws will change this kind of behaviour even if public opinion and brand reputation doesn’t. As I said in a recent update on the GDPR Enforcement, being bit by a single dog hurts. Lots of bites in a short period of time can be fatal. Some people think the fines are a simply a nuisance – a”cost of doing business”, for many of these multi billion dollar companies but they will add up if they continue to ignore the laws and fail to change their data processing practices.
Not long ago, I was a fan of Facebook. I liked…