Listen to this article

Editor’s note: Kristina Podnar is a digital policy innovator and principal of NativeTrust Consulting, McLean, Va. 

American engineer W. Edwards Deming once said, "Without data, you're just another person with an opinion." As a marketing researcher, that is your credo. But what happens when your core beliefs come head-to-head with data privacy regulations? About a year ago, the European Union’s General Data Protection Regulation (GDPR) came into effect. You may not have fully adjusted to those new realities, and yet here we are facing another wave of regulations, such as California Consumer Privacy Act (CCPA), Brazil’s General Data Protection Law (LGDP) and a slew of proposed U.S. federal and state regulations. If your head is spinning just thinking about the terabytes of personal marketing data you collect and analyze, fear not. You can stay on the right side of the law with knowledge and adjustments to your practices. Here’s a cheat sheet into what every marketing research specialist and company ought to know.

Data privacy surges

Even before GDPR, there were data protection and localization regulations. You may not have been paying attention to these because they were not well publicized (Taiwan’s Personal Data Protection Law) or the fines were minimal (Russia fined Facebook $50). GDPR raised the money at stake (€20 million or 4 percent of a company’s global revenue) and is changing how we think about user privacy and treat the countless globs of data sets floating around Google drives, intranets, e-mail and analytics tools. 

To ensure you comply with the slew of new privacy regulations coming down the pike, you should define data privacy governance and assign accountabilities to ensure that data collection and management practices are sound. That is not a job for one person but rather one that involves executive leadership in the organization, and representatives from the following departments: legal, regulatory, compliance, information technology, security, marketing (including research) and procurement. Here is a list of stakeholder tasks:

  • Review data privacy regulations and decide if they apply to the type of marketing research you are performing
  • Assess whether individual representatives need to be named to comply with regulations (e.g., a data protection officer – possibly appointing a local representative if the organization has no EU presence)
  • Consider alternatives to compliance, such as insurance in case of fines. And if they determine that it is best for the business to comply with the regulations, they ought to allocate resources (staff and money) to ensuring data privacy compliance
  • Mandate that data regulations become part of the company’s data management program, including measurement and reporting on compliance
  • Identify what data you collect, in which countries and whether that data leaves the original country
  • Documented roles, responsibilities and reporting lines to embed privacy compliance
  • Schedule a privacy training and awareness program for workers

By doing the above, you will have addressed governance, accountability and data localization requirements that are vital components of all data privacy laws and regulations.

You don’t own (all) the data

At the risk of having you roll your eyes, repeat after me: "I am borrowing user data for market research. I do not own the data." 

Now that we have that out of the way, let's make sure you understand that data privacy regulation comes down to being able to say yes to these two questions:

  • Are you conducting marketing research with the user’s privacy in mind?
  • Do you have the right or permission to collect and analyze a user’s data?

You don’t have to worry about capturing, analyzing and holding on to all user data. That is, not if it is anonymized or pseudo-anonymized. Many data regulations require that you consider a user’s rights to own and make decisions around their data. That includes not collecting solely for business benefit or exporting it outside of the region or country of collection. If you are rolling up data, or if you sever the link between one particular person and the data (i.e., simply know a user by a generic acronym such as “123456789”) then you can freely take, store and use that data without additional permission or user consent – or worrying about data localization.  

For marketing researchers who collect personal (e.g., e-mail, name, unique IP address) or sensitive data (e.g., sexual preference, religious/political affiliation) rigorous care should be taken around data collection and use. You ought to involve department representatives from marketing (and of course marketing research), communications and PR, legal, regulatory and compliance. These stakeholders ought to:

  • confirm that data is being collected and analyzed for legitimate reasons and not merely collected to have in case it is needed;
  • identify sensitive data and ensure it is processed and managed according to rules for sensitive data management (e.g., special encryption, vendor storage, etc.);
  • validate that if it is not a reasonable user assumption that data will be used for marketing research purposes, you have captured consent and are authorized to process the data;
  • define procedures and processes for users to withdraw data collection and use consent;
  • update your notices so that users can understand in plain language what information you are collecting and how you will treat it;
  • ensure users can have their data in an electronic format, and to request changes to the data you hold or delete it upon the user’s request; and
  • remove any automated decision-making processes (e.g., based on sexual orientation and location, automatically offer a unique product to audience A). 

By addressing these key points, you will have ensured that legitimate use or user consent requirements have been met; that data collection and management practices are in alignment with regulations; and that you have sound data protection practices in place.

Lost data

Data privacy laws call for responsible data encryption but make provisions for when things go wrong. It can be a nuisance to plan for things that may never occur, especially when you have a pile of data research and reports requests on your desk. Bringing together representatives from legal, regulatory, compliance, security and information technology departments to pre-plan for the worst can save your sanity, not to mention your pocketbook if the worst happens. These departmental representatives ought to work together to:

  • create (or review and update an existing) data breach policy and response plans (e.g., 72-hour authority notification, actions to mitigate loss, etc.);
  • consider and obtain insurance for data breaches you may not be able to handle on your own; and
  • incorporate data breach terms and requirements into all vendor and third-party contracts.

Consider the investment of time spent on developing a data loss plan to be a form of cheap insurance. For many, the simple act of planning for such a catastrophic event means that there is increased vigilance and possible prevention of any breach in the first place.

Back to work

These are not all of the regulatory requirements associated with data privacy laws. But they are the most critical aspects to ensuring that your marketing research data practices are appropriately aligned with existing laws and those yet to come. And that is something you can bank your data on!