Global Business: The Basics of Data Protection and Data Privacy
I have been involved with cloud computing from its earliest days in 2000, long before the terms cloud, SaaS, PaaS etc., came into being. Most prospects for cloud solutions over that time have been rightly concerned with the issue of Data Protection and Data Privacy, both in terms of their responsibilities for customers’ data and the overall protection of their brand.
Even though today there is a greater acceptance of cloud solutions for many software categories, such as Marketing Automation, CRM, ERP and HRM, there is still a lot of confusion. This is compounded by poor advice given to new users on how to ensure that their brand is protected, irrespective of what information–leads, contacts and personal data–they capture and how they process that data as part of normal business operations.
The starting point should be to understand some of the basics and their implications for the business. Data Protection Law generally classifies the following important categories that I refer to in this blog.
- Data Subject: This is the person whose data is stored on systems as a result of filling in online forms or opting-in to emails etc. They give their personal data to allow companies to market/sell to them
- Data Controller: This is a person/organization that collects data from Data Subjects through websites, emails, lists etc.
- Data Processor: This is a company that processes and manages data from data controllers. They provide the necessary software and/or hardware to deliver a service to the controller.
A company that collects and uses data of individuals in a B2B or B2C environment is a data controller. A data controller has obligations under local laws to protect the privacy of the data they collect. These obligations can vary from region to region, but it is accepted that the European Union has the most stringent data regulations. The obligations can also vary depending on the nature of the data being captured–so a pharmaceutical company collecting personal medical data for example may have more stringent requirements than say a manufacturing company gathering contacts for a normal B2B relationship.
What is more often misunderstood by Data Controllers is that their core obligations to protect the privacy of their customers’, prospects’, or leads’ data is the same whether they store that data in a ‘shoe box’, on their own servers or using the servers or services or a third party.
Most prospects of any company that are concerned about privacy want the data controller to tell them in clear language how their personal data is going to be managed. The most important words here are trust and transparency. Trust cannot be assumed, it is earned. A data controller earns and builds trust through complete transparency.
Transparency starts with local legal compliance. Then publishing adherence to those laws and regulations in a privacy statement outlining what types of data will be stored and how that data will be managed. A Data Controller must check with a local Data Protection Commissioner what the registration requirements for their legal entity are.
For example Marketo EMEA Ltd, is headquartered in Ireland and therefore is registered as a Data Controller and a Data Processor (more on that term later) with the Irish Data Protection Commissioner. This ensures that all of our leads and prospects can be comfortable that Marketo EMEA Ltd (as an Irish company), is adhering to local and EU law. Our parent company Marketo Inc is also registered for US Safe Harbor. In EU Law, the Data Controller must also notify their prospects and customers if their personal data is going to be transferred outside of the EU, irrespective of whether it is on their own servers or managed by a third party such as a SaaS vendor.
If your company has a website operating in Europe, then your privacy statement should also specify the types of Cookies your websites uses and the nature of the data captured throughout a prospect’s journey on that Website. This is a key prerequisite of the European Cookie Law, but is also another example of best in class transparency. A Data Controller should audit their website on a regular basis to ensure that the site contains only approved Cookies, and those that are on the site are for the benefit of the Controller and not any third party. When a prospect first visits your European site, then you will need a Cookie notification seeking either an implied or explicit consent of that visitor to track their journey.
After an initial scare and subsequent over reaction to the EU Cookie Law, it now looks as if both website operators and visitors are accepting Cookies and the Law in their stride.
In addition to managing web site interactions, a Data Controller needs to have policies in place to ensure that the other channels of their marketing strategy comply with data privacy law. Examples of the areas that should be considered are
- Opt-in/Opt-Out policies for Email & Lists
- Unsubscribe processes for Email
- Social media, disclosure and ethics
- SMS Text STOP compliance
- Telephone calling and call recording procedures
When selecting a supplier to deliver a solution that’s in the cloud, the Data Controller is required by EU law to ensure that the selected vendor has the appropriate technology infrastructure and business processes in place to ensure that the personal data of the Controller’s subjects are managed appropriately with respect to best practice and the relevant regional laws.
As I mentioned earlier, Marketo EMEA Ltd is registered as a Data Controller and a Data Processor with the Irish Data Protection Commissioner. Companies similar to ours provide solutions as services to our customers over the Internet. These solutions are often referred to Software-as-a-Service (SaaS) . The commercial agreement between the supplier and customer of these SaaS offerings will contain clauses that guide the legal relationship between the Data Processor and the Data Controller.
- The Data Controller at all times owns the data submitted to the system
- The Data Processor will not edit, delete or view the subject data without the explicit permission of the Controller
- The Data Processor will not pass the data onto a third party
- The Data Processor will have the appropriate technology in place to protect the data
- At the end of the contract the Data Processor will remove all of the data they have managed for the Data Controller
- The Data Processor will not transfer the data outside of the EU, without the express permission of the Data Controller
- The Data Processor may use aggregate statistical data of all of its’ customers to ensure that the delivery of the service is optimised for everyone’s benefit
Some countries such as Germany require that the Data Processor agreement be signed in addition to the commercial terms to ensure that the Data Controller is compliant with German law. Any SaaS vendor that wants to operate in Germany should have a German Data Processor Agreement ready for their clients in advance.
A Data Processor should hold themselves to an even higher standard than that of most Data Controllers. In addition to implementing all of the above best practices, the Data Processor should also publish detail on their own service performance. This level of transparency is key to building the customer trust that I spoke of at the start of this blog. Marketo achieves this with our trust.marketo.com site.
Understanding these basics is just the starting point of course. Implementing and managing your data protection policies on an ongoing basis, is where the real work is.