DPOInsider #50
The DPOInsider covers the latest news and developments in data compliance and privacy. The DPO's favourite weekly read ☕️
Data privacy and personalization: what do consumers really care about?
This article was a great read. It resonates with me on multiple levels. It showcases the subtle, yet critical, balance that businesses must strike between respecting consumer data privacy and providing personalized experiences—a task that is complex, but ultimately rewarding.
One point the article makes clear is that the perception of data privacy is more nuanced than one might think. This is mirrored in the Data and Marketing Association (DMA) survey results showing a decline from 84% in 2012 to 69% in 2022 in consumers who express high concern about data privacy. This finding should not be interpreted as an invitation to lax data privacy measures, but rather as an indicator of evolving consumer attitudes. The rise of 'data unconcerned' and 'data pragmatists', as outlined by the DMA, signifies a growing trust in regulation, but it also points to an increasing willingness to exchange personal data for perceived benefits.
The article also notes a significant shift towards selective sharing, underscoring the importance of trust and transparency for brands. This is a poignant reminder for data protection professionals. We need to continue educating consumers about their rights under laws like the GDPR, while also working with businesses to ensure they clearly communicate how customer data is utilized. As we know, these steps are key to building that all-important trust and demonstrating the value exchange that's essential for data sharing.
However, it's also critical to remember, as the article suggests, that privacy surveys might not tell the entire story. What’s particularly interesting is the contrast between consumers' professed concern about privacy and their actual behavior, like the 60% who routinely accept all cookies without adjusting their settings. It’s a reminder that our work is cut out for us, in terms of helping consumers truly understand the implications of their choices.
Finally, the article discusses the immense value of first-party data for personalizing offers and improving customer experiences. It emphasizes the need for data-driven customer strategies, backed by robust insights and analytics. This is a valuable reminder that our role isn't to thwart these efforts, but rather to guide organizations in doing so responsibly, respecting both legal obligations and customer trust.
The crux of the matter is this: a balance must be achieved between privacy concerns and personalization needs. The fact that successful personalization can lead to 40% better outcomes, as cited in the McKinsey research, makes this a goal worth striving for. For data protection officers, this means maintaining vigilance and agility, guiding companies to navigate the sometimes murky waters of data privacy, and working to ensure that business ambitions align with consumer expectations and rights.
MWC’s organizer slapped with GDPR fine over biometrics
I come to you today with a cautionary tale, something that underscores the profound importance of our role in the digital age. Just recently, Mobile World Congress (MWC), an annual event organized by GSMA in Barcelona, faced a €200,000 fine by Spain's data protection watchdog due to a lack of due diligence over data protection risks concerning biometric data collection.
In the heart of this episode lies the collection of attendee's biometric data for a facial recognition system called BREEZZ, implemented at MWC's 2021 edition. MWC provided an option for attendees to use this automated identification verification system to access the venue instead of conventional ID checks. With the on-going pandemic at that time, perhaps it seemed like a practical solution to balance health and security concerns.
However, the Agencia Española de Protección de Datos (AEPD) concluded that this approach violated Article 35 of the General Data Protection Regulation (GDPR), which outlines the need for a robust Data Protection Impact Assessment (DPIA) when processing high-risk personal data, such as biometric information. The AEPD characterized GSMA’s DPIA as “merely nominal”, stating it didn't assess the "substantive aspects" of the data processing nor the risks involved.
The GDPR's emphasis on necessity, proportionality, and adequate risk assessment in data processing is indeed a cornerstone of data privacy. This incident serves as a crucial reminder for us that in our pursuit of innovative solutions, privacy concerns should never be a secondary thought. The AEPD’s resolution is a testament to the importance of performing robust DPIAs, providing an effective means to identify and minimize the data protection risks of a project.
I cannot help but wonder about the future implications of this case. The upcoming EU AI Act, which aims to regulate AI applications based on risk, might further complicate the usage of facial recognition systems. With the increasing scrutiny on automated verification systems, will organizations like GSMA rethink their approach?
In the aftermath of the AEPD decision, GSMA maintained that there was no breach of data or misuse, with the resolution relating only to their DPIA approach. They emphasized their seriousness about data protection and commitment to review and improve their approach continually. Will this be a wake-up call for the GSMA and similar organizations, catalyzing changes in their data privacy protocols? Only time will tell.
Other data privacy news
MarTech’s guide to GDPR: The General Data Protection Regulation
Five years on from GDPR's debut, and with procedural changes afoot, here's an updated guide to the seminal data privacy regulation.
Warnings over NHS data privacy after ‘stalker’ doctor shares woman’s records
Exclusive: Victim speaks of feeling violated by hospital doctor incident that expert says is evidence of ‘systemic’ flaw in England
17 Tech Experts Share Best Practices For Managing Customer Data
A proactive approach to securing sensitive customer data is key for businesses if they’re to remain in compliance with regulations and maintain customers’ trust. Read on for 17 best practices for secure data collection and storage shared by members of Forbes Technology Council.
Records Of Processing Activities: A Key GDPR Compliance Requirement
One of the key requirements of the GDPR is to keep records of processing activities (RoPA). In this article, we will explain what records of processing activities are, why they are essential, and what you should do to comply with this requirement.
Post of the week
