The hottest job right now may be the new Data Protection Officer role required by the European Union’s GDPR legislation that takes effect in May.
In this Rethink Marketing Podcast, Act-On CMO Michelle Huff interviews David Fowler about the new role and what companies need to know. Fowler is Act-On’s head of digital compliance.
The General Data Protection Regulation, or GDPR, is a massive piece of legislation and applies to the EU’s 510 million citizens, as well as any business doing business with them, regardless of where they are based. Among the many requirements is the new position of the Data Protection Officer.
This transcript has been edited for length. To get the full measure, listen to the podcast.
Michelle Huff: Can you remind us what is GDPR? And why do we need to know and prepare for it?
David Fowler: The GDPR, or the general data protection regulation, is the upcoming rewrite of the digital laws within the European Union. It’s the largest piece of legislation in the last 20 years. If you think about our market where we were 20 years ago and where we are today, the digital channel has certainly transformed itself in relationship to user data, data rights, individual access, etc. It’s a very large undertaking in terms of being rolled out within the European Union. And it’s a very heavy piece of legislation.
Michelle: We’re all preparing for GDPR, it’s top of mind for me here in marketing. But it’s a special use case since other marketers leverage marketing automation oftentimes to send out emails, and they need to comply using their practices and tools. So, can you update us on how Act-On is faring in its preparations?
David: The law doesn’t go into effect until May of 2018. There’s a lot of things that we, as a company, have to be looking at, and you as a customer have to be looking at, in terms of your responsibilities under GDPR.
And a lot depends on which side of that fence you fall on, whether you’re the data controller or the data processor. And in our case, in Act-On, we are both. We serve as a processor of our customers’ data, and also as a controller of your data should we be marketing to you. We have a double whammy, so to speak, as it relates to our obligations.
About a year ago we undertook a third-party assessment of our preparedness for GDPR through a company called Truste, which they’re the organization that certifies our website and our privacy principles. From that document we then put together a sort of working plan in terms of what we need to start looking at to get our ship in order for the GDPR.
We are probably between second and third base right now as it relates to where we are as an organization. But it’s really very complex. Because how things are interpreted by our customers could be completely different than how we look at things ourselves. I’m very confident that come May of next year when GDPR kicks on May 26th, we’ll be good to go.
Michelle: It seems so far away, yet so close. One of GDPR’s requirements is that every company have this role of the data protection officer. Can you tell us more about this role, and how should people be thinking about its responsibilities?
David: The data protection officer is a new concept within the European Union, meaning you must have on staff an employee that does nothing but be responsible for your ongoing obligations under the GDPR.
Even though they’re on your payroll, they report back to the data protection authority within the country that you may reside. You could see right out of the gate there could be some interesting tenets of reporting hierarchy. But the point being is they are an extension of the data protection authority within your organization.
They have a responsibility to ensure that you as an organization are meeting your GDPR preparedness, meeting your obligations under the law, and on your ongoing preparations as it relates to just anything that may pop up. Essentially, they are an extension of the data protection authority within the country that you’re in, but reporting to you at the C level.
Michelle: Is that only for those companies that have EU headquarters? Or is it for those who are doing business in the EU? What companies are really impacted and really starting to have to hire for this role?
David: That’s a good question. The hottest job right now in the European Union is the data protection officer. If you do a Google search, you’ll get numerous hits. But the point being is that the GDPR law is applied to any company that has European citizens within their database. So regardless of where you are on the planet, if you are marketing to European citizens, and you are a certain size, or a certain vertical, then you’re required to have a DPO on staff. In the case of Act-On, because we have a very large chunk of our customers in Europe, and we exceed 250 employees, then we will be required to nominate a data protection officer before May of next year.
Michelle: That’s interesting. Can that person reside anywhere in the world? Or do they have to reside in the EU?
David: It depends. It’s funny because I was just at the GDPR meeting last week in Brussels. And that example was at one of the session I sat in, where you had a multinational company within multiple countries within the European Union. And it was a very complex answer to a very complex question. The net/net is you should have one. Where that person actually sits, physically sits, I think is one of those things that will be determined based on how it’s managed moving forward once it’s rolled out. As most of these things do, they end up going back to legal teams for an opinion.
Michelle: Why is it needed?
David: Essentially, it’s sort of the ombudsperson, in terms of best practice adoption at the end of the day. Because out of the 99 articles in the GDPR and the 173 recitals, that’s a lot of heavy lifting as it relates to how you operate your digital business or your marketing business regardless of the law itself. I think it’s more of sort of a stopgap solution to ensure that you or anybody who’s required to follow GDPR is following it. And it’s one of those roles I think that will be matured over time. It sounds great in concept, but the reality is when it kicks off, we’ll see how that works.
So being able to manage through GDPR and certainly manage the requirements of GDPR is a massive undertaking. And it’s not necessarily just a business role. This role is really intended to be a very highly technically-oriented type person. So, you think about chief privacy officer. This person is gonna be more technically inclined, as well as business process inclined. They’re going to be able to talk the technical chops, as well as the business chops at the same time.
Michelle: How can someone think about this on the brighter side, making lemonade out of lemons? How do you think companies and marketers could really think about this DPO positively instead of thinking of it as a burden, or just a requirement that we have to adhere to?
David: I think it’s one of those things where you leverage the experience of the individual. The GDPR is a massive piece of legislation. And there’s nobody out there that can say, I fully understand. And this person’s going to be able to help facilitate the understanding of the GDPR within your organization. I see that as a benefit, not as a negative. Because you might find ways to do things better and more efficiently. And you might be able to find more sources of revenue, being able to leverage the experience of that individual in your future product marketing developments or product developments.
If we’re having the same conversation five years from now, while we have three or four years under our belt of this particular individual functioning within the company, I think you’ll find it’s gonna be very more fruitful than painful.
But there will be some initial bumps in the road like there always are when things go live. But I think ultimately leveraging that knowledge base is certainly something that is an advantage. And I see that person definitely joined to the hip with the marketing organization because everything begins when a customer is engaged as it relates to revenue and engagement. If I was a marketer, CMO of an organization, I’d be joined at the hip with that person because I think that’s got nothing but benefit to the overall function of that group of the organization.
Michelle: Where can people learn more? Or are there things outside of Act-On that people should really go to and learn more?
David: It depends where you are physically. Some countries are far ahead of others in terms of communicating GDPR notification. We have our GDPR hub, which is up and running now on our website. We’ll be posting a lot more information there as we get closer to the day. But every country is responsible for rolling this out. You’re going to see after the holidays a massive promotional push from the European Union in terms of getting ready for GDPR.
And feel free to reach out to us at firstname.lastname@example.org. That email will come directly to me. And I’m more than happy to steer you in the right direction.
Michelle: Thanks, David. Always insightful. It’s great being able to just talk through it.
David: Thank you. Good luck, everyone.