The European Union’s General Data Protection Regulation, or GDPR, isn’t the compliance nightmare most companies are making it out to be. This negative view of GDPR compliance stems from the fact that penalties for non-compliance are severe, many companies (including many industry leaders) have a business model that effectively requires the use and sale of personal data to stay afloat, and we generally don’t like it when Europeans tell us Americans what to do.
However, this negative view is all wrong because we absolutely should have control over our data, and the public, along with European lawmakers, aren’t asking companies to do anything terribly drastic to substantially improve the balance between our privacy rights and the use of our personal data for business or public service purposes.
At the most basic level, GDPR compliance asks companies to become aware of the importance of any personal data it collects or processes, and then to treat it with some tender loving care.
To implement this principle, GDPR regulations set forth a “bill of privacy rights” that includes the right to:
- be informed about the collection and use of personal data
- access personal data
- rectify incorrect data or complete an incomplete data set
- be forgotten (i.e. erase personal data)
- restrict or suppress processing of data
- obtain and reuse data, portably, across multiple services
- object to processing data for certain purposes like email marketing
- be protected against improper automated decision-making that uses personal data
To help make this conversation more tangible and put these rights in context, let’s for a moment imagine that your phone number is a piece of personal data (it is, by the way) that may be held by an internet retailer that processes your data.
At this moment, we already have laws in place that allow us to protect our phone number, or take it with us if we switch service providers, just like the GDPR requirements, and we’ve had these laws for many years already! So if a phone number is important enough to protect, so should our address and email address, let alone even more personal information like our health records. As organizations scramble to comply with GDPR regulations, CA regulations, TX regulations, and GDPR-adjacent American laws such as HIPAA protections, we encourage companies to be thoughtful, transparent, and committed to the principles behind these laws, as much as the laws themselves. In taking that approach, an abstract and mystifying compliance landscape that isn’t even official until the end of this month will become more approachable.
To us, the proper approach to data security compliance is to treat it like a routine practice, grounded in self-awareness of what our organization is doing, and constantly evaluating our position and working to improve upon it, much like a yoga practice or achieving a better golf score. It is this pursuit of doing the right thing that sets us off in a positive direction for compliance and helps us avoid chasing waterfalls.
No, Abraxas isn’t a European company, no we don’t want your number (unless you give it to us so we can contact you), and no, we don’t collect data that is readily used to identify any of you or any individual human being, and it would be possible for us to argue that these laws don’t even apply to us, but ultimately why argue when we agree with the concept that your data belongs to you, and that you should have the ability to make your wishes known regarding how your data is used.
These are principles already woven into the fabric of our legal system and our society, and we wish to embrace these principles, not hide from them! For example, from a privacy law standpoint, we recognize that who we are, and the data surrounding who are already enjoys substantial legal protection, especially when that data is stored or transmitted by computers. Also, from an intellectual property standpoint, we can find a nice analogy from the world of copyright law, where it is well-settled that facts are not copyrightable.
So, how exactly do we incorporate all of this into our business? Simple:
- We practice what we preach. We seek to provide a comprehensive and insightful set of user-facing legal documents that explains what data we collect, how we use it, and what rights you have in relation to any data we may have.
- We only collect what we need, nothing more. Data collection is not supposed to be an excuse to rummage through your photos and contact list, it is supposed to be a precision-guided process where care is taken to be mindful of privacy concerns and only collecting the data needed to achieve our business goals of providing OOH advertisers with insights regarding impressions, dwell time, and conversions, three of the most important metrics for any advertisement.
- Through our creation of these metrics for OOH advertising, we are providing an oasis for advertisers thirsty for a real choice in advertising that delivers the insights of online advertising, without the drawbacks of privacy invasions or ad creep.
If you have any questions about GDPR and data privacy please do not hesitate to contact us at JLawton@abraxastechnology.com.
Brad Gold is the Data Privacy Officer at Abraxas Technology
Follow us on Twitter @Abraxas_Tech