General Data Protection Regulation image

What happens when content design crashes into the General Data Protection Regulation (GDPR)?

 

What would it be like to produce content in a total data vacuum? Picture yourself working in soundproofed blacked-out box with a computer that can only send but never receive information. You have a brief to design some content, but you haven’t been given much information about your users. You’re going to have to rely on intuition and assumption about their needs, interests and behaviour. No matter – you’re a resourceful person, so you make the best of it and cobble together some best-guess content. It’s a relief to press send.

Off it goes into the ether and you’ll never have to think about it, the users or their needs again – because there won’t be any feedback. That includes all metrics, page views, click-throughs, bounces and everything else you’re used to for assessing whether your work is fulfilling its aims. It sounds like a recipe for awful content, doesn’t it? It must be – though of course you won’t get to know either way.

Data drives content

For content professionals, such a scenario in the real world is unthinkable. Content is driven by data and databases, from analytics to A/B testing. Data is the beating heart of how content designers think about user needs and what we do to deliver on them. It’s also the biggest weapon in our armoury when it comes to dealing with sceptical and obstructive forces in the organisations we work for.

And yet, the situation above isn’t just a thought exercise. Working in a data void – or at best with a seriously diminished data set – could well become a reality for many of us in a couple of years if we don’t take timely steps to stay compliant with imminent new data protection legislation, according to Hazel Southwell, Data Protection Consultant, speaking at a recent Content, Seriously meetup.

Ignore data protection at your peril

Content producers who ignore the new rules will be destined to launch their content into the void, she warned, like the Soviet scientists who shot Laika, a Moscow street dog, into space with scant means of monitoring her progress and no hope of her survival. The ill-fated dog died from overheating after only a couple of hours and the scientists learned next to nothing from the adventure. At least she got to be the first animal in orbit – which is far more than content producers can hope for in return for their doomed efforts.

Producing content without user research and analytics (both pre and post publication) makes it far more likely to be irrelevant to target audiences – and useless to our objectives. More than that, data is the trump card, the invincible ace of spades, in any argument about the direction that content should be taking.

How often does data come to our rescue when subject matter experts are blocking improvements to clarity and readability, or when managers are resistant to important content changes? They can’t argue with the data. Without data in the armoury, we’re fighting blindfold with both arms tied behind our back.

Say hello to the General Data Protection Regulation

On 25 May 2018, the EU General Data Protection Regulation (GDPR) will come into force, making sweeping changes to rules governing the way we collect, use and store data. It will have an impact on any organisation, whether based inside or outside the European Union, that processes the personal data of any resident of the EU or any EU citizen elsewhere.

Companies will no longer be able to sidestep data protection obligations because their head office is in the US, say, or their servers are in Vanuatu. If they’re dealing with the personal data of EU citizens then they must comply with the rules. So Brexit will not provide a way out for UK organisations either.

The UK currently has one of the toughest data regimes in the world in the Data Protection Act 1998, backed up by the enforcements of the Information Commissioner’s Office (ICO). But the GDPR knocks that into the shade, not least with sanctions that are designed to bring the global tech behemoths out in a cold sweat. Even the likes of Google and Facebook might think twice about transgressions, faced with fines totalling €20 million or 4% of worldwide annual turnover – whichever is greater.

Personal data will include photos, email addresses, bank details, social media posts, cookies and IP addresses – anything, in fact, that identifies you directly or indirectly in your private, professional or public life. And if you’re processing this data, whether you’re a multinational or working from your front room, whether you’re turning a profit or not, then you’ll need to comply.

It might be a shock for a humble WordPress blogger to find their use of tools such as Google Analytics (much of which is based on monitoring IP addresses) could fall foul of the law. And their difficulties will be compounded if they deal with personalised content tailored to their audiences – for example, if they use a formula whereby 2 users might see a different paragraph within a single page depending on their age. It seems the quest for making highly relevant content is to become even more tortuous.

So how do you comply with the GDPR?

You’ll have to get explicit consent for obtaining and keeping personal data, which must be given to you freely, rather than as a bargaining chip for accessing your services. You’ll need to ask for it in clear and obvious way, not just imply you’re taking it and going ahead.

Having obtained consent fair and square you’ll have to store it, not only so the ICO can check you’re doing things right, but also so individuals concerned can see what you have on them. They should be able to transfer their data to other data controllers if they want – what’s being described as a new right of ‘data portability’.

Consent can be withdrawn as well as given, and you’ll have to erase data or correct inaccurate data if requested, or restrict processing data if you get an objection. If the data you’re keeping gets compromised through a security breach you may have to notify the relevant authority, the individual concerned or the public at large.

You’ll have to demonstrate that you’re complying with the GDPR, through policies and procedures, staff training, monitoring, documentation – and if your organisation is large enough, with the appointment of a designated data protection officer and appropriate records of your data processing activities.

Privacy will be prioritised by better design (privacy by design) and through more stringent default settings (privacy by default), and you’ll be encouraged to use data only when strictly necessary for your services.

Privacy fights back

If it sounds tough, that’s because it is. There are some obvious exemptions to the rules – such as for national security, defence, law enforcement, public services and health and so on – but it seems the EU has had enough of companies storing and selling huge quantities of personal information, our interests, health, social background, jobs, wealth, education and much more – information that has very likely been obtained in ways we were not wholly aware.

While we unwittingly surrender the details of our address books, calendars, emails and map co-ordinates to apps and companies that seem to have no call to know them, many of us are only dimly realising that our most private information is forming part of a vast global trade far beyond our control. Marketing giant Acxiom, for instance, is said to have stockpiled up to 3,000 separate nuggets of information on each of the 700 million people in its files.

In this context, the GDPR could be a welcome rebalancing in favour of the individual. Even so, EU member states still have some flexibility about how they implement many of the GDPR’s 99 Articles – not to mention the uncertainty of how a post-Brexit UK might slot into those arrangements.

There may also be ways to anonymise or ‘pseudonymise’ data so that it can be used without stepping on anyone’s toes, or making the most of exemptions for statistical research that doesn’t rely on the identifying aspects of the data. The sweep of the legislation may be fixed, but the crispness of its final boundaries are still to be defined.

Respect privacy, improve content, win trust

However the cookie in your cache might crumble come May 2018, content strategists must start putting data protection much higher up the agenda now. Content professionals are creative people and will be able to conjure up inventive and unimposing ways for users to give consent about their personal data.

It’s in everyone’s interests that content is engaging and relevant, and it won’t take much for users to understand how important data is for the best in content creation. It will be even more important for content professionals to create the kind of compelling content that will make users care enough to click the consent button – in whatever form it takes – without a second thought.

Many thanks to Hazel Southwell for her contribution to the Content, Seriously meetup.

LinkedIn https://uk.linkedin.com/in/hazel-southwell-55781412

 

Talk to us

 

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *